CVE-2026-59867 PUBLISHED

Kiota: Generation-time SSRF + remote/local file inclusion via unrestricted $ref

Assigner: GitHub_M
Reserved: 07.07.2026 Published: 16.07.2026 Updated: 16.07.2026

Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.5, Kiota resolved OpenAPI $ref values by fetching remote http(s) URLs and reading local absolute or out-of-tree file paths, allowing kiota generate on an attacker-controlled or attacker-influenced description to perform build-time SSRF, remote file inclusion, and local file inclusion by inlining external schemas such as REMOTE_KIOTA_PROP or Leaked into generated clients. This issue is fixed in version 1.32.5 by AllowedExternalOriginsStreamLoader and the --allowed-external-origins option.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
CVSS Score: 7.1

Product Status

Vendor microsoft
Product kiota
Versions
  • Version < 1.32.5 is affected

References

Problem Types

  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE
  • CWE-829: Inclusion of Functionality from Untrusted Control Sphere CWE
  • CWE-918: Server-Side Request Forgery (SSRF) CWE