Intel

AIKIDO-2026-272541

Microsoft.OpenApi.Kiota.Builder is vulnerable to Server-Side Request Forgery (SSRF)

Server-Side Request Forgery (SSRF)CVE-2026-59867 Published Today

71

High Risk

This Affects:

DOTNETMicrosoft.OpenApi.Kiota.Builder
0.0.1 - 1.32.4
Fixed in 1.32.5
Are you affected? Scan for Free

TL;DR

Kiota resolves OpenAPI $ref values by fetching remote http(s) URLs and reading local files, including absolute and out-of-tree paths, and inlines the referenced schema into the generated client. Running the generator on an attacker-controlled OpenAPI description whose $ref points at an internal URL or an arbitrary local file causes server-side requests from the build host and disclosure or inclusion of untrusted remote and local content. No code execution results because output sinks stay escaped. The fix makes external reference resolution default-deny and requires explicit opt-in through the --allowed-external-origins parameter.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and you run the generator on untrusted OpenAPI descriptions that contain external references.

Background info

Microsoft.OpenApi.Kiota.Builder is vulnerable to Server-Side Request Forgery (SSRF) in versions 0.0.1 - 1.32.4.

How to fix this

Upgrade the Microsoft.OpenApi.Kiota.Builder and/or the Microsoft.OpenApi.Kiota library to the patch version.