CVE-2026-41134

Name of the Vulnerable Software and Affected Versions Kiota versions prior to 1.31.1

Description Kiota is an OpenAPI based HTTP Client code generator. A code-generation literal injection exists in multiple writer sinks, including serialization/deserialization keys, path/query parameter mappings, URL template metadata, enum/property metadata, and default value emission. When malicious values from an OpenAPI description are emitted into generated source without context-appropriate escaping, an attacker can break out of string literals and inject additional code into generated clients. This is practically exploitable when the OpenAPI description used for generation is from an untrusted source or has been compromised.

Recommendations Upgrade to version 1.31.1 or later and regenerate or refresh existing generated clients. Generate clients only from trusted, integrity-protected API descriptions.