Intel

AIKIDO-2026-893593

Microsoft.OpenApi.Kiota.Builder is vulnerable to Path Traversal

Path TraversalCVE-2026-59866 Published Today

93

Critical Risk

This Affects:

DOTNETMicrosoft.OpenApi.Kiota.Builder
0.0.1 - 1.32.4
Fixed in 1.32.5
Are you affected? Scan for Free

TL;DR

Kiota emits the clientClassName and clientNamespaceName values from the x-ms-kiota-info OpenAPI extension raw, without identifier or path sanitization, when kiota generate runs without an explicit class name. An attacker-controlled OpenAPI description can set these to a traversal or absolute path so the generated source file is written outside the output directory, and can inject arbitrary text into the generated class or namespace declaration. This yields arbitrary file write and generated-code corruption. The fix sanitizes both names to a restricted character set before using them in output paths and declarations.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and you generate clients from untrusted OpenAPI descriptions without specifying a client class name.

Background info

Microsoft.OpenApi.Kiota.Builder is vulnerable to Path Traversal in versions 0.0.1 - 1.32.4.

How to fix this

Upgrade the Microsoft.OpenApi.Kiota.Builder and/or the Microsoft.OpenApi.Kiota library to the patch version.