PT-2026-60492 · Microsoft · Kiota
CVE-2026-59867
·
Publicado
2026-07-16
·
Atualizado
2026-07-16
CVSS v3.1
7.1
Alta
| Vetor | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N |
Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.5, Kiota resolved OpenAPI $ref values by fetching remote http(s) URLs and reading local absolute or out-of-tree file paths, allowing
kiota generate on an attacker-controlled or attacker-influenced description to perform build-time SSRF, remote file inclusion, and local file inclusion by inlining external schemas such as REMOTE KIOTA PROP or Leaked into generated clients. This issue is fixed in version 1.32.5 by AllowedExternalOriginsStreamLoader and the --allowed-external-origins option.Correção
Path traversal
SSRF
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Kiota