PatchSiren cyber security CVE debrief
CVE-2026-59864 microsoft CVE debrief
CVE-2026-59864 is a critical vulnerability in Kiota, an OpenAPI based HTTP Client code generator. The issue allows for path traversal or out-of-package file inclusion when generating Microsoft 365 Copilot and Teams plugin manifests. This vulnerability is fixed in version 1.32.5. Affected deployments should be reviewed for exposure, and owners should plan for updates or mitigations. Compensating controls may be necessary for exposed systems.
- Vendor
- microsoft
- Product
- kiota
- CVSS
- CRITICAL 9.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-16
- Original CVE updated
- 2026-07-17
- Advisory published
- 2026-07-16
- Advisory updated
- 2026-07-17
Who should care
Developers and administrators using Kiota for generating plugins, especially those deploying Microsoft 365 Copilot and Teams plugins, should be aware of this vulnerability and take immediate action to update to version 1.32.5 or later. Affected operators, platforms, and security teams should review compensating controls and implement additional security measures.
Technical summary
Prior to Kiota version 1.32.5, the `kiota plugin add` and `kiota plugin generate` commands with the `-t APIPlugin` option did not properly validate paths in the `response_semantics.static_template.file` field of generated plugin manifests. This allowed an attacker to inject malicious paths, including ../, absolute, rooted, UNC, Windows drive, or URI paths, potentially leading to path traversal or out-of-package file inclusion when the generated plugin was deployed. The vulnerability is caused by the lack of path validation in the static_template.file values from x-ai-adaptive-card and x-ai-capabilities. The issue has been addressed in Kiota version 1.32.5.
Defensive priority
High
Recommended defensive actions
- Update Kiota to version 1.32.5 or later
- Review and validate paths in generated plugin manifests
- Implement additional security measures for plugin deployment
- Monitor for suspicious activity related to plugin generation and deployment
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
Evidence notes
The CVE record was published on 2026-07-16T16:19:15.240Z and was last modified on 2026-07-16T17:13:54.870Z. The NVD entry is currently Deferred. Evidence is limited to CVE and NVD details. Defenders should verify Kiota plugin usage and generated manifests for path traversal or out-of-package file inclusion risks. Additional verification tasks may be needed to confirm affected scope and severity.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T16:19:15.240Z and has not been modified since then. The NVD entry is currently Deferred.