PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-59862 microsoft CVE debrief

CVE-2026-59862 is a high-severity vulnerability in Kiota, an OpenAPI based HTTP Client code generator. Prior to version 1.32.0, Kiota's Python generator allowed attacker-controlled enum value descriptions to flow through KiotaBuilder.SetEnumOptions into Documentation.DescriptionTemplate and PythonConventionService.RemoveInvalidDescriptionCharacters without newline sanitization. This could allow generated inline comments to split and execute attacker-controlled Python code at module scope when generated modules were imported. Developers and users of Kiota's OpenAPI based HTTP Client code generator, especially those using the Python generator, should be aware of this vulnerability and take steps to mitigate it.

Vendor
microsoft
Product
kiota
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-16
Original CVE updated
2026-07-17
Advisory published
2026-07-16
Advisory updated
2026-07-17

Who should care

Developers and users of Kiota's OpenAPI based HTTP Client code generator, especially those using the Python generator, should be aware of this vulnerability and take steps to mitigate it. Operators, platform administrators, vulnerability management teams, and security teams may be impacted by this vulnerability and should review generated code for potential security risks.

Technical summary

The vulnerability exists in Kiota's Python generator prior to version 1.32.0. Attacker-controlled enum value descriptions from x-ms-enum.values[].description could flow through KiotaBuilder.SetEnumOptions into Documentation.DescriptionTemplate and PythonConventionService.RemoveInvalidDescriptionCharacters without newline sanitization. This could allow generated inline comments to split and execute attacker-controlled Python code at module scope when generated modules were imported. The issue is fixed in version 1.32.0.

Defensive priority

High

Recommended defensive actions

  • Upgrade Kiota to version 1.32.0 or later
  • Review generated code for suspicious comments
  • Implement additional code review processes
  • Monitor for unusual activity in generated modules
  • Perform vulnerability assessment for affected Kiota deployments
  • Review Kiota documentation for secure usage guidelines
  • Track remediation progress and verify code integrity

Evidence notes

The CVE record was published on 2026-07-16T15:16:35.570Z and was last modified on 2026-07-16T19:16:50.913Z. The NVD entry is currently Deferred. Evidence is limited to CVE and NVD information. Defenders should verify Kiota version and Python generator usage.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T15:16:35.570Z and has not been modified since then. The NVD entry is currently Deferred.