CVE-2026-59865 in kiota
Summary
by MITRE • 07/16/2026
Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.5, `kiota info` read x-ms-kiota-info.languagesInformation.<language>.dependencyInstallCommand plus dependency name and version values from an OpenAPI description and presented the spec-supplied command as Kiota's recommended install command, allowing an attacker-controlled or compromised description to cause command injection when the suggested command was run manually or through the Kiota VS Code extension's kiota info --json dependency-install flow. This issue is fixed in version 1.32.5.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/16/2026
The vulnerability in Kiota versions prior to 1.32.5 represents a critical command injection flaw that arises from improper input validation within the `kiota info` command functionality. This issue stems from the tool's handling of x-ms-kiota-info extension properties in OpenAPI specifications, specifically the languagesInformation.dependencyInstallCommand field which is designed to provide installation guidance for dependencies referenced in API definitions. When Kiota processes these specifications, it directly incorporates and executes commands supplied by the specification authors without adequate sanitization or validation.
The technical flaw manifests when an attacker-controlled or compromised OpenAPI description contains malicious content within the dependencyInstallCommand field combined with dependency name and version values. The system concatenates these elements into a command string that is then executed by the user's shell, creating a classic command injection vulnerability. This vulnerability is particularly dangerous because it can be triggered through multiple attack vectors including manual execution of suggested commands or automated flows within the Kiota VS Code extension when using the kiota info --json dependency-install functionality. The attack surface expands significantly as developers often trust and execute suggested installation commands without scrutiny, especially in development environments where automation is common.
The operational impact of this vulnerability extends beyond immediate code execution capabilities to encompass potential system compromise, data exfiltration, and escalation of privileges. An attacker who can influence the OpenAPI specification content can execute arbitrary commands with the privileges of the user running Kiota, potentially leading to full system compromise if executed by administrators or in CI/CD environments. The vulnerability affects both manual users and automated tooling flows, making it particularly dangerous in enterprise development environments where multiple developers may be working with shared API specifications. This issue aligns with CWE-78 which specifically addresses improper neutralization of special elements used in OS commands, and maps to ATT&CK technique T1059.001 for command and script injection.
The fix implemented in version 1.32.5 addresses this vulnerability through comprehensive input sanitization and validation mechanisms that prevent the execution of untrusted commands. The updated implementation ensures that any content within the dependencyInstallCommand field is properly escaped or validated before being executed, eliminating the attack vector that allowed malicious payloads to be injected into system commands. Organizations should immediately upgrade to version 1.32.5 or later to mitigate this risk, while also implementing additional security controls such as restricting access to OpenAPI specifications and monitoring for unusual command execution patterns in development environments. The vulnerability demonstrates the importance of validating all external inputs, particularly those that are executed as system commands, and highlights the need for robust sanitization practices in code generation tools that process external specification data.