PT-2026-60492 · Microsoft · Kiota

CVE-2026-59867

·

Publicado

2026-07-16

·

Atualizado

2026-07-16

CVSS v3.1

7.1

Alta

VetorAV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.5, Kiota resolved OpenAPI $ref values by fetching remote http(s) URLs and reading local absolute or out-of-tree file paths, allowing kiota generate on an attacker-controlled or attacker-influenced description to perform build-time SSRF, remote file inclusion, and local file inclusion by inlining external schemas such as REMOTE KIOTA PROP or Leaked into generated clients. This issue is fixed in version 1.32.5 by AllowedExternalOriginsStreamLoader and the --allowed-external-origins option.

Correção

Path traversal

SSRF

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

CVE-2026-59867

Produtos afetados

Kiota