Intel

AIKIDO-2026-117504

Microsoft.OpenApi.Kiota.Builder is vulnerable to Command Injection

Command InjectionCVE-2026-59865 Published Today

93

Critical Risk

This Affects:

DOTNETMicrosoft.OpenApi.Kiota.Builder
0.0.1 - 1.32.4
Fixed in 1.32.5
Are you affected? Scan for Free

TL;DR

The kiota info command reads the dependencyInstallCommand from the x-ms-kiota-info OpenAPI extension and presents it as the tool's own recommended install command. An attacker-controlled or tampered OpenAPI description can supply an arbitrary shell command, which is also exposed verbatim through the --json output consumed by the Kiota VS Code extension. A developer who runs the suggested command, or an IDE install action, executes attacker-controlled shell on the workstation or CI host. The fix removes support for the description-supplied install command entirely.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and you run kiota info on untrusted OpenAPI descriptions and execute the suggested install command.

Background info

Microsoft.OpenApi.Kiota.Builder is vulnerable to Command Injection in versions 0.0.1 - 1.32.4.

How to fix this

Upgrade the Microsoft.OpenApi.Kiota.Builder and/or the Microsoft.OpenApi.Kiota library to the patch version.