PatchSiren cyber security CVE debrief
CVE-2026-59859 microsoft CVE debrief
CVE-2026-59859 is a vulnerability in Kiota, an OpenAPI based HTTP Client code generator. Prior to version 1.32.4, Kiota's PHP generator embedded OpenAPI description, default fields, property names, and other schema-derived strings into PHP double-quoted literals without proper escaping, allowing for code injection. This issue allows attackers to inject arbitrary PHP code into generated model and request-builder classes. The vulnerability exists due to insufficient sanitization of user-controlled input in the PHP generator. Developers and administrators using Kiota's PHP generator should be aware of this vulnerability and take steps to mitigate it by updating to version 1.32.4 or later.
- Vendor
- microsoft
- Product
- kiota
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-16
- Original CVE updated
- 2026-07-17
- Advisory published
- 2026-07-16
- Advisory updated
- 2026-07-17
Who should care
Developers and administrators using Kiota's PHP generator should be aware of this vulnerability and take steps to mitigate it by updating to version 1.32.4 or later. This includes reviewing generated PHP code for potential code injection vulnerabilities and implementing additional security measures to prevent code injection attacks. Affected operators and platforms should prioritize updates and vulnerability management.
Technical summary
The vulnerability exists in Kiota's PHP generator, where OpenAPI description, default fields, property names, and other schema-derived strings are embedded into PHP double-quoted literals through SanitizeDoubleQuote() in Writers/StringExtensions.cs without escaping $, allowing attacker-controlled ${...}, $var, or {$obj->prop} interpolation constructs to inject arbitrary PHP code into generated model and request-builder classes. This issue is fixed in version 1.32.4. Affected product context requires defensive impact assessment and source-grounded technical framing.
Defensive priority
High
Recommended defensive actions
- Update Kiota to version 1.32.4 or later
- Review generated PHP code for potential code injection vulnerabilities
- Implement additional security measures to prevent code injection attacks
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-16T15:16:35.167Z and has not been modified since then. The NVD entry is currently Deferred. Evidence is limited to CVE and NVD information. Defenders should verify affected Kiota deployments and review generated PHP code.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T15:16:35.167Z and has not been modified since then.