Description
Kiota is an OpenAPI based HTTP Client code generator. Versions prior to 1.31.1 are affected by a code-generation literal injection vulnerability in multiple writer sinks (for example: serialization/deserialization keys, path/query parameter mappings, URL template metadata, enum/property metadata, and default value emission). When malicious values from an OpenAPI description are emitted into generated source without context-appropriate escaping, an attacker can break out of string literals and inject additional code into generated clients. This issue is only practically exploitable when the OpenAPI description used for generation is from an untrusted source, or a normally trusted OpenAPI description has been compromised/tampered with. Only generating from trusted, integrity-protected API descriptions significantly reduces the risk. To remediate the issue, upgrade Kiota to 1.31.1 or later and regenerate/refresh existing generated clients as a precaution. Refreshing generated clients ensures previously generated vulnerable code is replaced with hardened output.
Published: 2026-04-22
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Now
AI Analysis

Impact

Kiota is an OpenAPI based HTTP client code generator. Versions prior to 1.31.1 are vulnerable to a code-generation literal injection flaw that allows malicious values from an OpenAPI description to be emitted into generated source without context-appropriate escaping. This flaw can break out of string literals and inject additional code, creating the possibility of arbitrary code execution in the generated clients. The weakness is identified by CWE-94.

Affected Systems

The vulnerability affects Microsoft Kiota. Any Kiota installation using a version earlier than 1.31.1 is susceptible. Products relying on this generator for client code that accept OpenAPI definitions from untrusted or compromised sources are at risk.

Risk and Exploitability

The CVSS score of 7.3 indicates a medium to high severity risk. The EPSS score of 0.00051 reflects an extremely low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector is inferred to be an attacker who supplies a malicious OpenAPI description to a build environment that uses Kiota, allowing the generation of client code that contains injected malicious logic which can lead to arbitrary code execution in that environment. The risk is substantially mitigated when the generation process uses trusted, integrity-protected API descriptions.

Generated by OpenCVE AI on April 28, 2026 at 07:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Kiota to version 1.31.1 or later and regenerate or refresh all previously generated client code
  • Ensure that OpenAPI schemas used for code generation are trusted and integrity-protected, such as via signing or provenance verification
  • Restrict the code generation process to trusted build environments and enforce access controls to limit who can trigger code generation with external OpenAPI definitions.

Generated by OpenCVE AI on April 28, 2026 at 07:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2hx3-vp6r-mg3f Kiota: Code Generation Literal Injection
History

Thu, 14 May 2026 21:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:microsoft:kiota:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Mon, 27 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft
Microsoft kiota
Vendors & Products Microsoft
Microsoft kiota

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description Kiota is an OpenAPI based HTTP Client code generator. Versions prior to 1.31.1 are affected by a code-generation literal injection vulnerability in multiple writer sinks (for example: serialization/deserialization keys, path/query parameter mappings, URL template metadata, enum/property metadata, and default value emission). When malicious values from an OpenAPI description are emitted into generated source without context-appropriate escaping, an attacker can break out of string literals and inject additional code into generated clients. This issue is only practically exploitable when the OpenAPI description used for generation is from an untrusted source, or a normally trusted OpenAPI description has been compromised/tampered with. Only generating from trusted, integrity-protected API descriptions significantly reduces the risk. To remediate the issue, upgrade Kiota to 1.31.1 or later and regenerate/refresh existing generated clients as a precaution. Refreshing generated clients ensures previously generated vulnerable code is replaced with hardened output.
Title Kiota: Code Generation Literal Injection
Weaknesses CWE-94
References
Metrics cvssV4_0

{'score': 7.3, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Microsoft Kiota
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-27T13:35:02.423Z

Reserved: 2026-04-17T12:59:15.738Z

Link: CVE-2026-41134

cve-icon Vulnrichment

Updated: 2026-04-23T14:19:13.799Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T21:17:09.027

Modified: 2026-05-14T21:23:04.210

Link: CVE-2026-41134

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T08:00:14Z

Weaknesses