PT-2026-35093 — Code Injection in Nuget Kiota

PT-2026-35093 · Nuget · Kiota

Published

2026-04-14

Updated

2026-04-14

CVSS v4.0

7.3

High

Vector

AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CVE Advisory (CVE-2026-41134): Code Generation Literal Injection in Kiota

Summary

Kiota versions prior to 1.31.1 are affected by a code-generation literal injection vulnerability in multiple writer sinks (for example: serialization/deserialization keys, path/query parameter mappings, URL template metadata, enum/property metadata, and default value emission).

When malicious values from an OpenAPI description are emitted into generated source without context-appropriate escaping, an attacker can break out of string literals and inject additional code into generated clients.

Impact and Preconditions

This issue is only practically exploitable when:

the OpenAPI description used for generation is from an untrusted source, or
a normally trusted OpenAPI description has been compromised/tampered with.

If you only generate from trusted, integrity-protected API descriptions, risk is significantly reduced.

Affected Versions

Affected: all versions < 1.31.1
Fixed: 1.31.1 and later

Illustrative Exploit Example

Example OpenAPI fragment (malicious default value)

yaml

openapi: 3.0.1
info:
 title: Exploit Demo
 version: 1.0.0
components:
 schemas:
  User:
   type: object
   properties:
    displayName:
     type: string
     default: ""; throw new System.Exception("injected"); //"

Example generated C# snippet before fix (illustrative)

csharp

public User() {
  DisplayName = ""; throw new System.Exception("injected"); //";
}

The injected payload escapes the intended string context and introduces attacker-controlled statements in generated code.

Note: this exploit is not limited to default values, but may also impact properties names (serialization), path or query parameters, enum representations and other locations.

Remediation

Upgrade Kiota to 1.31.1 or later.
Regenerate/refresh existing generated clients as a precaution:

bash

kiota update

Refreshing generated clients ensures previously generated vulnerable code is replaced with hardened output.

Acknowledgement

We would like to thank the researcher Thanatos Tian（Polyu) for finding this issue and for his contribution to this open source project.

Fix

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

GHSA-2HX3-VP6R-MG3F

Affected Products

Kiota