Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-41134

Kiota: Code Generation Literal Injection
Back to all
CVE

CVE-2026-41134

Kiota: Code Generation Literal Injection

CVE Advisory (CVE-2026-41134): Code Generation Literal Injection in Kiota

Summary

Kiota versions prior to 1.31.1 are affected by a code-generation literal injection vulnerability in multiple writer sinks (for example: serialization/deserialization keys, path/query parameter mappings, URL template metadata, enum/property metadata, and default value emission).

When malicious values from an OpenAPI description are emitted into generated source without context-appropriate escaping, an attacker can break out of string literals and inject additional code into generated clients.

Impact and Preconditions

This issue is only practically exploitable when:

  1. the OpenAPI description used for generation is from an untrusted source, or
  2. a normally trusted OpenAPI description has been compromised/tampered with.

If you only generate from trusted, integrity-protected API descriptions, risk is significantly reduced.

Affected Versions

  • Affected: all versions < 1.31.1
  • Fixed: 1.31.1 and later

Illustrative Exploit Example

Example OpenAPI fragment (malicious default value)

openapi: 3.0.1
info:
  title: Exploit Demo
  version: 1.0.0
components:
  schemas:
    User:
      type: object
      properties:
        displayName:
          type: string
          default: "\"; throw new System.Exception(\"injected\"); //"

Example generated C# snippet before fix (illustrative)

public User() {
    DisplayName = ""; throw new System.Exception("injected"); //";
}

The injected payload escapes the intended string context and introduces attacker-controlled statements in generated code.

Note: this exploit is not limited to default values, but may also impact properties names (serialization), path or query parameters, enum representations and other locations.

Remediation

  1. Upgrade Kiota to 1.31.1 or later.
  2. Regenerate/refresh existing generated clients as a precaution:
kiota update

Refreshing generated clients ensures previously generated vulnerable code is replaced with hardened output.

Acknowledgement

We would like to thank the researcher Thanatos Tian(Polyu) for finding this issue and for his contribution to this open source project.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
7.3
-
4.0
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
C
H
U
-

Related Resources

No items found.

References

https://github.com/microsoft/kiota/security/advisories/GHSA-2hx3-vp6r-mg3f, https://nvd.nist.gov/vuln/detail/CVE-2026-41134, https://github.com/microsoft/kiota

Severity

7.8

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
7.8
EPSS Probability
0.00024%
EPSS Percentile
0.07128%
Introduced Version
0
Fix Available
1.31.1

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading