CVE-2026-41134: CWE-94: Improper Control of Generation of Code ('Code Injection') in microsoft kiota
Kiota is an OpenAPI based HTTP Client code generator. Versions prior to 1.31.1 are affected by a code-generation literal injection vulnerability in multiple writer sinks (for example: serialization/deserialization keys, path/query parameter mappings, URL template metadata, enum/property metadata, and default value emission). When malicious values from an OpenAPI description are emitted into generated source without context-appropriate escaping, an attacker can break out of string literals and inject additional code into generated clients. This issue is only practically exploitable when the OpenAPI description used for generation is from an untrusted source, or a normally trusted OpenAPI description has been compromised/tampered with. Only generating from trusted, integrity-protected API descriptions significantly reduces the risk. To remediate the issue, upgrade Kiota to 1.31.1 or later and regenerate/refresh existing generated clients as a precaution. Refreshing generated clients ensures previously generated vulnerable code is replaced with hardened output.
AI Analysis
Technical Summary
Microsoft Kiota, an OpenAPI-based HTTP client code generator, suffers from a CWE-94 improper control of code generation vulnerability in versions before 1.31.1. The vulnerability occurs when malicious input from OpenAPI descriptions is injected into generated source code without proper context-aware escaping across multiple writer sinks such as serialization keys, URL templates, and metadata. This allows attackers to break out of string literals and inject arbitrary code into generated clients. Exploitation is feasible only if the OpenAPI description is untrusted or tampered with. The recommended fix is to upgrade to Kiota 1.31.1 or later and regenerate any previously generated clients to ensure hardened code output.
Potential Impact
This vulnerability enables code injection into generated client code, potentially allowing execution of arbitrary code within the context of the generated client. However, exploitation requires the attacker to control or compromise the OpenAPI description used for code generation. There are no known exploits in the wild. The impact is rated high with a CVSS score of 7.3, reflecting the potential for significant code execution risk if the conditions for exploitation are met.
Mitigation Recommendations
Upgrade Microsoft Kiota to version 1.31.1 or later to address the code injection vulnerability. Additionally, regenerate or refresh all previously generated client code to replace any vulnerable code with the fixed version. Avoid generating clients from untrusted or tampered OpenAPI descriptions to significantly reduce risk. Patch status is not explicitly stated as 'official-fix' in the advisory, but upgrading to 1.31.1 is the recommended remediation.
CVE-2026-41134: CWE-94: Improper Control of Generation of Code ('Code Injection') in microsoft kiota
Description
Kiota is an OpenAPI based HTTP Client code generator. Versions prior to 1.31.1 are affected by a code-generation literal injection vulnerability in multiple writer sinks (for example: serialization/deserialization keys, path/query parameter mappings, URL template metadata, enum/property metadata, and default value emission). When malicious values from an OpenAPI description are emitted into generated source without context-appropriate escaping, an attacker can break out of string literals and inject additional code into generated clients. This issue is only practically exploitable when the OpenAPI description used for generation is from an untrusted source, or a normally trusted OpenAPI description has been compromised/tampered with. Only generating from trusted, integrity-protected API descriptions significantly reduces the risk. To remediate the issue, upgrade Kiota to 1.31.1 or later and regenerate/refresh existing generated clients as a precaution. Refreshing generated clients ensures previously generated vulnerable code is replaced with hardened output.
CVSS v4.0
Score 7.3high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Microsoft Kiota, an OpenAPI-based HTTP client code generator, suffers from a CWE-94 improper control of code generation vulnerability in versions before 1.31.1. The vulnerability occurs when malicious input from OpenAPI descriptions is injected into generated source code without proper context-aware escaping across multiple writer sinks such as serialization keys, URL templates, and metadata. This allows attackers to break out of string literals and inject arbitrary code into generated clients. Exploitation is feasible only if the OpenAPI description is untrusted or tampered with. The recommended fix is to upgrade to Kiota 1.31.1 or later and regenerate any previously generated clients to ensure hardened code output.
Potential Impact
This vulnerability enables code injection into generated client code, potentially allowing execution of arbitrary code within the context of the generated client. However, exploitation requires the attacker to control or compromise the OpenAPI description used for code generation. There are no known exploits in the wild. The impact is rated high with a CVSS score of 7.3, reflecting the potential for significant code execution risk if the conditions for exploitation are met.
Mitigation Recommendations
Upgrade Microsoft Kiota to version 1.31.1 or later to address the code injection vulnerability. Additionally, regenerate or refresh all previously generated client code to replace any vulnerable code with the fixed version. Avoid generating clients from untrusted or tampered OpenAPI descriptions to significantly reduce risk. Patch status is not explicitly stated as 'official-fix' in the advisory, but upgrading to 1.31.1 is the recommended remediation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-17T12:59:15.738Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e9338e19fe3cd2cdedf9a4
Added to database: 4/22/2026, 8:46:06 PM
Last enriched: 4/30/2026, 8:00:48 AM
Last updated: 6/6/2026, 8:58:02 AM
Views: 76
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.