PT-2026-60489 · Microsoft · Kiota

CVE-2026-59864

·

Published

2026-07-16

·

Updated

2026-07-16

CVSS v4.0

9.3

Critical

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.5, kiota plugin add and kiota plugin generate (with -t APIPlugin) emitted attacker-controlled static template.file values from x-ai-adaptive-card and x-ai-capabilities into generated Microsoft 365 Copilot and Teams plugin manifests without path validation, allowing ../, absolute, rooted, UNC, Windows drive, or URI paths in response semantics.static template.file to cause path traversal or out-of-package file inclusion when the generated plugin was deployed. This issue is fixed in version 1.32.5.

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-59864

Affected Products

Kiota