Intel

AIKIDO-2026-15873

Microsoft.OpenApi.Kiota.Builder is vulnerable to Path Traversal

Path TraversalCVE-2026-59863 Published Today

70

High Risk

This Affects:

DOTNETMicrosoft.OpenApi.Kiota.Builder
0.0.1 - 1.32.4
Fixed in 1.32.5
Are you affected? Scan for Free

TL;DR

Kiota honors the per-client and per-plugin outputPath from a committed .kiota/workspace.json workspace configuration without validating it during kiota client generate and kiota plugin generate. A malicious repository or pull request can set outputPath to an absolute or .. traversal path, causing the generated client or plugin to be written to an arbitrary location outside the workspace when a teammate or CI regenerates. This enables arbitrary file write on the developer or CI host. The fix confines each outputPath to a relative subdirectory of the workspace and aborts generation on escape.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and you regenerate clients or plugins from an untrusted workspace configuration.

Background info

Microsoft.OpenApi.Kiota.Builder is vulnerable to Path Traversal in versions 0.0.1 - 1.32.4.

How to fix this

Upgrade the Microsoft.OpenApi.Kiota.Builder and/or the Microsoft.OpenApi.Kiota library to the patch version.