CVE-2026-59862 in Kiota
Summary
by MITRE • 07/16/2026
Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.0, Kiota's Python generator let attacker-controlled enum value descriptions from x-ms-enum.values[].description flow through KiotaBuilder.SetEnumOptions into Documentation.DescriptionTemplate and PythonConventionService.RemoveInvalidDescriptionCharacters without newline sanitization, allowing generated inline comments to split and execute attacker-controlled Python code at module scope when generated modules were imported. This issue is fixed in version 1.32.0.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/16/2026
The vulnerability in Kiota's Python generator represents a critical code injection flaw that stems from insufficient input validation of OpenAPI specification metadata. This issue specifically affects versions prior to 1.32.0 where the code generation process fails to properly sanitize attacker-controlled data from the x-ms-enum.values[].description fields within OpenAPI documents. The vulnerability occurs during the KiotaBuilder.SetEnumOptions phase where enum descriptions are processed and subsequently passed through Documentation.DescriptionTemplate and PythonConventionService.RemoveInvalidDescriptionCharacters methods without adequate newline character sanitization.
The technical execution path begins with the parsing of OpenAPI specifications that contain maliciously crafted enum value descriptions in the x-ms-enum.values[].description fields. These descriptions, when processed by the KiotaBuilder component, flow directly into the documentation template system where they are incorporated into generated Python modules as inline comments. The failure to properly sanitize newline characters allows attackers to inject arbitrary Python code that executes at module scope during import operations. This creates a remote code execution vector where an attacker can manipulate the OpenAPI specification to inject malicious code that gets executed whenever the generated client library is imported by any application.
The operational impact of this vulnerability extends beyond simple code injection, as it represents a severe supply chain security risk. When applications import generated Python modules from vulnerable Kiota versions, they inadvertently execute attacker-controlled code within their runtime environment. This can lead to complete system compromise, data exfiltration, or lateral movement within network environments where such client libraries are used. The vulnerability affects any application that relies on Kiota-generated Python clients and consumes OpenAPI specifications from untrusted sources, making it particularly dangerous in enterprise environments where API specifications may come from external partners or third-party services.
This vulnerability maps to CWE-94, which specifically addresses "Improper Control of Generation of Code ('Code Injection')", and aligns with ATT&CK technique T1059.006 for Python command execution. The attack surface is particularly concerning given that Kiota serves as a widely used code generation tool, meaning that a single vulnerable specification can potentially compromise multiple applications across different organizations. Security practitioners should implement immediate mitigations including updating to version 1.32.0 or later, implementing strict input validation for OpenAPI specifications, and monitoring for suspicious enum value descriptions in API documentation. Organizations should also consider restricting access to untrusted OpenAPI sources and implementing runtime safeguards to detect and prevent execution of malicious code within generated client libraries. The fix in version 1.32.0 specifically addresses the sanitization of newline characters in description fields, ensuring that attacker-controlled input cannot be transformed into executable Python code within generated modules.