CVE-2026-41134: CWE-94: Improper Control of Generation of Code ('Code Injection') in microsoft kiota
Kiota is an OpenAPI based HTTP Client code generator. Versions prior to 1.31.1 are affected by a code-generation literal injection vulnerability in multiple writer sinks (for example: serialization/deserialization keys, path/query parameter mappings, URL template metadata, enum/property metadata, and default value emission). When malicious values from an OpenAPI description are emitted into generated source without context-appropriate escaping, an attacker can break out of string literals and inject additional code into generated clients. This issue is only practically exploitable when the OpenAPI description used for generation is from an untrusted source, or a normally trusted OpenAPI description has been compromised/tampered with. Only generating from trusted, integrity-protected API descriptions significantly reduces the risk. To remediate the issue, upgrade Kiota to 1.31.1 or later and regenerate/refresh existing generated clients as a precaution. Refreshing generated clients ensures previously generated vulnerable code is replaced with hardened output.
AI Analysis
Technical Summary
Microsoft Kiota, an OpenAPI-based HTTP client code generator, is affected by a code-generation literal injection vulnerability (CWE-94) in versions before 1.31.1. This vulnerability occurs when malicious inputs from OpenAPI descriptions are emitted into generated source code without proper context-appropriate escaping across multiple writer sinks such as serialization keys, URL templates, and metadata. An attacker can exploit this by injecting code into generated clients if the OpenAPI description is untrusted or compromised. The vulnerability is mitigated by upgrading to Kiota 1.31.1 or later and regenerating clients to ensure hardened code output.
Potential Impact
The vulnerability allows attackers to inject arbitrary code into generated client source code, potentially leading to execution of malicious code within the client environment. However, exploitation is limited to scenarios where the OpenAPI description used for generation is untrusted or tampered with. There are no known exploits in the wild at this time. The CVSS 4.0 score of 7.3 reflects a high severity with local attack vector, low attack complexity, and partial user interaction required.
Mitigation Recommendations
Upgrade Microsoft Kiota to version 1.31.1 or later. After upgrading, regenerate or refresh all existing generated clients to replace any previously vulnerable code with the fixed, hardened output. Additionally, only use trusted and integrity-protected OpenAPI descriptions for code generation to significantly reduce risk. Patch status is not explicitly stated as 'official-fix' in the advisory, but the vendor-provided upgrade version indicates a fix is available.
CVE-2026-41134: CWE-94: Improper Control of Generation of Code ('Code Injection') in microsoft kiota
Description
Kiota is an OpenAPI based HTTP Client code generator. Versions prior to 1.31.1 are affected by a code-generation literal injection vulnerability in multiple writer sinks (for example: serialization/deserialization keys, path/query parameter mappings, URL template metadata, enum/property metadata, and default value emission). When malicious values from an OpenAPI description are emitted into generated source without context-appropriate escaping, an attacker can break out of string literals and inject additional code into generated clients. This issue is only practically exploitable when the OpenAPI description used for generation is from an untrusted source, or a normally trusted OpenAPI description has been compromised/tampered with. Only generating from trusted, integrity-protected API descriptions significantly reduces the risk. To remediate the issue, upgrade Kiota to 1.31.1 or later and regenerate/refresh existing generated clients as a precaution. Refreshing generated clients ensures previously generated vulnerable code is replaced with hardened output.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Microsoft Kiota, an OpenAPI-based HTTP client code generator, is affected by a code-generation literal injection vulnerability (CWE-94) in versions before 1.31.1. This vulnerability occurs when malicious inputs from OpenAPI descriptions are emitted into generated source code without proper context-appropriate escaping across multiple writer sinks such as serialization keys, URL templates, and metadata. An attacker can exploit this by injecting code into generated clients if the OpenAPI description is untrusted or compromised. The vulnerability is mitigated by upgrading to Kiota 1.31.1 or later and regenerating clients to ensure hardened code output.
Potential Impact
The vulnerability allows attackers to inject arbitrary code into generated client source code, potentially leading to execution of malicious code within the client environment. However, exploitation is limited to scenarios where the OpenAPI description used for generation is untrusted or tampered with. There are no known exploits in the wild at this time. The CVSS 4.0 score of 7.3 reflects a high severity with local attack vector, low attack complexity, and partial user interaction required.
Mitigation Recommendations
Upgrade Microsoft Kiota to version 1.31.1 or later. After upgrading, regenerate or refresh all existing generated clients to replace any previously vulnerable code with the fixed, hardened output. Additionally, only use trusted and integrity-protected OpenAPI descriptions for code generation to significantly reduce risk. Patch status is not explicitly stated as 'official-fix' in the advisory, but the vendor-provided upgrade version indicates a fix is available.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-17T12:59:15.738Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e9338e19fe3cd2cdedf9a4
Added to database: 4/22/2026, 8:46:06 PM
Last enriched: 4/22/2026, 9:01:08 PM
Last updated: 4/22/2026, 10:45:03 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.