CVE-2026-59867: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in microsoft kiota
Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.5, Kiota resolved OpenAPI $ref values by fetching remote http(s) URLs and reading local absolute or out-of-tree file paths, allowing `kiota generate` on an attacker-controlled or attacker-influenced description to perform build-time SSRF, remote file inclusion, and local file inclusion by inlining external schemas such as REMOTE_KIOTA_PROP or Leaked into generated clients. This issue is fixed in version 1.32.5 by AllowedExternalOriginsStreamLoader and the --allowed-external-origins option.
AI Analysis
Technical Summary
CVE-2026-59867 is a path traversal vulnerability in Microsoft Kiota, an OpenAPI-based HTTP client code generator. Before version 1.32.5, Kiota resolved OpenAPI $ref values by fetching remote URLs and reading local file paths without proper restrictions. This behavior allows an attacker controlling or influencing the OpenAPI description used with 'kiota generate' to perform build-time SSRF, remote file inclusion, and local file inclusion attacks by inlining external schemas. The vulnerability is fixed in version 1.32.5 by implementing AllowedExternalOriginsStreamLoader and the --allowed-external-origins option to limit allowed external origins.
Potential Impact
An attacker able to supply or influence the OpenAPI description used by Kiota can exploit this vulnerability to perform server-side request forgery, potentially accessing internal network resources, and include remote or local files during the build process. This can lead to disclosure of sensitive information (confidentiality impact is high), limited integrity impact, and no direct availability impact.
Mitigation Recommendations
Upgrade Kiota to version 1.32.5 or later, which includes the AllowedExternalOriginsStreamLoader and the --allowed-external-origins option to restrict external origins and prevent this vulnerability. No other mitigations are indicated. Patch status is confirmed fixed in version 1.32.5.
CVE-2026-59867: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in microsoft kiota
Description
Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.5, Kiota resolved OpenAPI $ref values by fetching remote http(s) URLs and reading local absolute or out-of-tree file paths, allowing `kiota generate` on an attacker-controlled or attacker-influenced description to perform build-time SSRF, remote file inclusion, and local file inclusion by inlining external schemas such as REMOTE_KIOTA_PROP or Leaked into generated clients. This issue is fixed in version 1.32.5 by AllowedExternalOriginsStreamLoader and the --allowed-external-origins option.
CVSS v3.1
Score 7.1high
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-59867 is a path traversal vulnerability in Microsoft Kiota, an OpenAPI-based HTTP client code generator. Before version 1.32.5, Kiota resolved OpenAPI $ref values by fetching remote URLs and reading local file paths without proper restrictions. This behavior allows an attacker controlling or influencing the OpenAPI description used with 'kiota generate' to perform build-time SSRF, remote file inclusion, and local file inclusion attacks by inlining external schemas. The vulnerability is fixed in version 1.32.5 by implementing AllowedExternalOriginsStreamLoader and the --allowed-external-origins option to limit allowed external origins.
Potential Impact
An attacker able to supply or influence the OpenAPI description used by Kiota can exploit this vulnerability to perform server-side request forgery, potentially accessing internal network resources, and include remote or local files during the build process. This can lead to disclosure of sensitive information (confidentiality impact is high), limited integrity impact, and no direct availability impact.
Mitigation Recommendations
Upgrade Kiota to version 1.32.5 or later, which includes the AllowedExternalOriginsStreamLoader and the --allowed-external-origins option to restrict external origins and prevent this vulnerability. No other mitigations are indicated. Patch status is confirmed fixed in version 1.32.5.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-07-07T15:41:53.607Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a58f9c068715ace434105fa
Added to database: 07/16/2026, 15:33:20 UTC
Last enriched: 07/16/2026, 15:47:31 UTC
Last updated: 07/16/2026, 22:52:09 UTC
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.