Code Generation Injection Vulnerability in Kiota by Microsoft
CVE-2026-41134

7.3HIGH

Key Information:

Vendor: Microsoft
Status: Kiota
Vendor: CVE Published:; 22 April 2026

What is CVE-2026-41134?

Kiota, an OpenAPI-based HTTP Client code generator, is susceptible to a code-generation literal injection vulnerability in various writer sinks, including serialization and deserialization keys, path/query parameter mappings, and URL template metadata. If malicious values from an untrusted or compromised OpenAPI description are incorporated into generated source code, it may allow attackers to escape string literals and introduce additional code. To mitigate this issue, users should only generate code from trusted, integrity-protected API descriptions, and upgrade to Kiota version 1.31.1 or later, followed by regenerating existing clients to fortify against potential exploits.

Affected Version(s)

kiota < 1.31.1

References

https://github.com/microsoft/kiota/security/advisories/GH...

x_refsource_CONFIRM

CVSS V4

Score:

7.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 22, 2026
Vulnerability Reserved
Apr 17, 2026

CVE-2026-41134 Data

JSON