CVE-2026-41134
Description
Kiota is an OpenAPI based HTTP Client code generator. Versions prior to 1.31.1 are affected by a code-generation literal injection vulnerability in multiple writer sinks (for example: serialization/deserialization keys, path/query parameter mappings, URL template metadata, enum/property metadata, and default value emission). When malicious values from an OpenAPI description are emitted into generated source without context-appropriate escaping, an attacker can break out of string literals and inject additional code into generated clients. This issue is only practically exploitable when the OpenAPI description used for generation is from an untrusted source, or a normally trusted OpenAPI description has been compromised/tampered with. Only generating from trusted, integrity-protected API descriptions significantly reduces the risk. To remediate the issue, upgrade Kiota to 1.31.1 or later and regenerate/refresh existing generated clients as a precaution. Refreshing generated clients ensures previously generated vulnerable code is replaced with hardened output.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Kiota versions prior to 1.31.1 allow code injection via malicious OpenAPI descriptions due to insufficient escaping in generated code.
Vulnerability
Overview
CVE-2026-41134 is a code-generation literal injection vulnerability in Kiota, an OpenAPI-based HTTP client code generator. Versions prior to 1.31.1 fail to properly escape values from OpenAPI descriptions when emitting them into generated source code across multiple writer sinks, including serialization/deserialization keys, path/query parameter mappings, URL template metadata, enum/property metadata, and default value emission [1][3]. This allows an attacker to break out of string literals and inject arbitrary code into the generated client.
Exploitation
Exploitation requires the OpenAPI description used for generation to be from an untrusted source or a normally trusted description to have been compromised or tampered with [1][3]. An attacker can craft a malicious OpenAPI document containing payloads in fields such as default values, property names, or parameter definitions. When Kiota processes this document, the malicious value is emitted into the generated source code without context-appropriate escaping, enabling the attacker to inject additional statements [3]. For example, a default value containing \"; throw new System.Exception(\"injected\"); // would be emitted as executable code in the generated C# client [3].
Impact
Successful exploitation allows an attacker to inject arbitrary code into the generated client library. This could lead to arbitrary code execution in the context of the application that uses the generated client, potentially compromising the confidentiality, integrity, and availability of the application and its data [1][3]. The impact is limited to scenarios where the generated client is built from an untrusted or tampered OpenAPI description.
Mitigation
The vulnerability is fixed in Kiota version 1.31.1 and later [1][3]. Users should upgrade to the latest version and regenerate any existing generated clients to replace potentially vulnerable code with hardened output. As a general best practice, only generate clients from trusted, integrity-protected OpenAPI descriptions to significantly reduce the risk of exploitation [1][3].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
kiotaNuGet | < 1.31.1 | 1.31.1 |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/microsoft/kiota/security/advisories/GHSA-2hx3-vp6r-mg3fnvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-2hx3-vp6r-mg3fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-41134ghsaADVISORY
News mentions
0No linked articles in our index yet.