Intel

AIKIDO-2026-687567

Microsoft.OpenApi.Kiota.Builder is vulnerable to Path Traversal

Path TraversalCVE-2026-59864 Published Today

93

Critical Risk

This Affects:

DOTNETMicrosoft.OpenApi.Kiota.Builder
0.0.1 - 1.32.4
Fixed in 1.32.5
Are you affected? Scan for Free

TL;DR

Kiota writes the static_template.file value from the x-ai-adaptive-card and x-ai-capabilities OpenAPI extensions into a generated API plugin manifest without validating it. An attacker-controlled or tampered OpenAPI description can supply a .. traversal segment, absolute path, or URI, so the manifest's response_semantics.static_template.file references files outside the plugin package. When the generated plugin is deployed to a Microsoft 365 Copilot or Teams host, that host resolves the out-of-package path. The fix validates the reference as a relative path confined to the plugin output package and drops unsafe values.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and you generate API plugin manifests from untrusted OpenAPI descriptions.

Background info

Microsoft.OpenApi.Kiota.Builder is vulnerable to Path Traversal in versions 0.0.1 - 1.32.4.

How to fix this

Upgrade the Microsoft.OpenApi.Kiota.Builder and/or the Microsoft.OpenApi.Kiota library to the patch version.