CVE-2026-41134 Overview
CVE-2026-41134 is a code-generation literal injection vulnerability affecting Kiota, Microsoft's OpenAPI-based HTTP Client code generator. Versions prior to 1.31.1 contain a flaw in multiple writer sinks that allows malicious values from an OpenAPI description to be emitted into generated source code without proper context-appropriate escaping. This vulnerability enables attackers to break out of string literals and inject additional code into generated clients.
The affected components include serialization/deserialization keys, path/query parameter mappings, URL template metadata, enum/property metadata, and default value emission routines. When developers generate HTTP clients from untrusted or compromised OpenAPI descriptions, the resulting code may contain attacker-controlled payloads that execute when the generated client is compiled and run.
Critical Impact
Attackers can inject arbitrary code into generated HTTP clients through malicious OpenAPI descriptions, potentially leading to supply chain compromise and arbitrary code execution in applications using the generated clients.
Affected Products
- Microsoft Kiota versions prior to 1.31.1
- Generated HTTP clients created with vulnerable Kiota versions
- Applications consuming generated clients from untrusted OpenAPI sources
Discovery Timeline
- 2026-04-22 - CVE CVE-2026-41134 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-41134
Vulnerability Analysis
This vulnerability is classified as CWE-94 (Improper Control of Generation of Code - Code Injection). The root issue lies in Kiota's code generation pipeline, which fails to properly escape or sanitize values extracted from OpenAPI specification documents before embedding them into the generated source code.
The vulnerability requires local access to the system where code generation occurs, and some user interaction is needed (processing an untrusted OpenAPI specification). However, once exploited, the impact is severe—an attacker gains the ability to inject arbitrary code that executes with the full privileges of the application using the generated client.
The attack scenario involves an attacker crafting a malicious OpenAPI specification containing specially constructed values in fields such as property names, enum values, default values, or path parameters. When Kiota processes this specification, these malicious values are written directly into the generated code as string literals or metadata without proper escaping, allowing the attacker to break out of the intended context and inject executable code.
Root Cause
The vulnerability stems from insufficient output encoding in Kiota's code generation writers. When values from the OpenAPI description are written to generated source files, the writer sinks do not apply context-appropriate escaping for the target programming language. This allows characters that have special meaning in the target language (such as quotes, backslashes, or statement terminators) to terminate string literals prematurely and introduce attacker-controlled code.
Attack Vector
The attack requires an attacker to supply a malicious OpenAPI description to the code generation process. This can occur when developers generate clients from untrusted third-party API specifications, when a normally trusted API description repository is compromised, or when an attacker can modify API specifications through man-in-the-middle attacks or supply chain compromise.
Once the malicious specification is processed by a vulnerable version of Kiota, the generated client code contains the injected payload. The malicious code executes when the generated client is compiled and the affected code paths are invoked at runtime.
The vulnerability mechanism involves values in OpenAPI descriptions being embedded without proper string literal escaping. An attacker can craft values that terminate string literals early, inject code statements, and continue the string literal to maintain syntactic validity. This injected code then becomes part of the application's execution flow when the generated client is used.
For complete technical details and exploitation scenarios, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-41134
Indicators of Compromise
- Review generated client source code for unexpected string terminations or code patterns not matching the OpenAPI specification
- Check for unusual characters or escape sequences in generated enum values, property names, or URL templates
- Audit OpenAPI descriptions for suspicious values in metadata fields, particularly those containing quotes or language-specific syntax
- Monitor build pipelines for generated clients exhibiting compilation errors or unexpected behavior
Detection Strategies
- Implement static code analysis on generated clients to detect anomalous code patterns or unexpected statements
- Compare generated code output against expected patterns for the input OpenAPI specification
- Use integrity verification for OpenAPI descriptions before processing (checksums, signatures)
- Deploy runtime application security testing to identify unusual execution paths in applications using generated clients
Monitoring Recommendations
- Audit the provenance and integrity of all OpenAPI specifications used in code generation pipelines
- Monitor code generation logs for warnings or errors that might indicate malformed input
- Implement change detection on OpenAPI specifications to identify unauthorized modifications
- Track Kiota version usage across development environments and flag versions prior to 1.31.1
How to Mitigate CVE-2026-41134
Immediate Actions Required
- Upgrade Kiota to version 1.31.1 or later immediately across all development environments
- Regenerate all existing HTTP clients that were created with vulnerable Kiota versions
- Audit the source of all OpenAPI descriptions used in your organization and ensure they come from trusted, integrity-protected sources
- Review recently generated clients for signs of code injection before deployment
Patch Information
Microsoft has released Kiota version 1.31.1 which addresses this vulnerability by implementing proper context-appropriate escaping for all values emitted from OpenAPI descriptions into generated code. After upgrading, developers should regenerate all existing clients to ensure previously generated vulnerable code is replaced with hardened output.
Additional details are available in the GitHub Security Advisory.
Workarounds
- Only generate HTTP clients from trusted, integrity-protected API descriptions that have been verified for authenticity
- Implement a review process for OpenAPI specifications before using them for code generation
- Use cryptographic signatures or checksums to verify OpenAPI description integrity before processing
- Isolate code generation environments and review generated output before integrating into production codebases
# Upgrade Kiota to patched version
dotnet tool update -g Microsoft.OpenApi.Kiota --version 1.31.1
# Verify installed version
kiota --version
# Regenerate existing clients with patched version
kiota generate -d ./openapi.yaml -o ./GeneratedClient -l csharp
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
