External risk intelligence

Kiota Path Traversal in Plugin Manifest Generation

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-59864

The vulnerability exists within a code generation tool (Kiota) used during the development or build-time phase to create plugin manifests. It is not a runtime service, internet-facing application, or network appliance; the impact occurs only if the resulting generated artifacts are improperly handled or deployed.

Path Traversal

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

Kiota, a tool for generating HTTP client code, has a vulnerability where it can incorrectly handle file paths when creating certain plugin manifests. This could allow malicious code to be inserted into generated Microsoft 365 Copilot and Teams plugins if not properly validated before deployment. The primary concern is to confirm if this code generation tool is in use and if any generated artifacts have been deployed.

  • Code generator mishandles file paths.
  • Affects Microsoft 365 Copilot and Teams plugins.
  • Confirm relevance and exposure of the tool.

Attack Path

How an attacker could exploit the issue

An attacker could craft malicious entries in an OpenAPI specification that, when processed by the Kiota tool, lead to the creation of plugin manifests containing path traversal or out-of-package file inclusion vulnerabilities. If these generated plugins are later deployed, an attacker could potentially access or include unintended files on the target system.

  • Attack requires vulnerable code generation.
  • Triggered by malicious OpenAPI specifications.
  • Risk of unintended file access.

Live Threat

Current exploitation, exposure, and threat context

When a Microsoft 365 Copilot or Teams plugin is deployed, an attacker could influence the path of static template files embedded in its manifest. This could lead to path traversal or the inclusion of files outside the intended plugin package when the plugin is used.

  • Plugin manifest files.
  • Path traversal allows inclusion of unintended files.
  • Compromised plugin behavior and data exposure.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability resides in a code generation tool, impacting the creation of plugin manifests. Ownership likely falls to the development or platform engineering teams responsible for the build and deployment pipeline. The first practical step is to identify all instances where this tool is used, confirm if generated manifests are deployed to production, and then assess the risk to business-critical systems before planning remediation.

  • Development and platform teams own the issue.
  • Verify manifest generation and deployment scope.
  • Plan remediation based on deployment risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Kiota?

Kiota is a developer tool designed to automate the creation of HTTP client code. By leveraging OpenAPI descriptions, it generates the necessary code to interact with APIs. It is frequently used by developers to streamline the integration of various services into applications, including the creation of specialized plugin manifests for platforms like Microsoft 365 Copilot and Teams.

What does CVE-2026-59864 mean in plain English?

This vulnerability is a path traversal flaw, technically classified as Improper Limitation of a Pathname to a Restricted Directory (CWE-22). It means the tool fails to sanitize file paths provided in certain configuration fields. Consequently, an attacker can craft a malicious OpenAPI file that tricks the generator into pointing to restricted system files, which then get bundled into the final plugin manifest.

How is this vulnerability triggered?

The flaw is triggered during the plugin manifest generation process when Kiota processes a specially crafted OpenAPI specification containing malicious path data. Note that simply having the Kiota tool installed is not enough; the vulnerability only manifests if a developer uses a compromised OpenAPI description to generate a plugin, and that resulting manifest is subsequently deployed into a production environment.

Do I need to worry about this if my systems are internal?

According to Halo Surface Signal, this vulnerability is considered unlikely to be an immediate internet-facing threat because Kiota is a build-time tool rather than a live network service. However, the risk persists if your team uses Kiota to build plugins that are later deployed to environments accessible by users. Even internal plugins could be misused if they contain the malformed paths, so review of your development pipeline is still recommended.

When should I update my Kiota version?

You should update to version 1.32.5 or later immediately if you use Kiota to generate plugins for Microsoft 365 Copilot or Teams. The first practical step is to audit your build pipelines to identify where Kiota is used. Once identified, upgrade the tool, then regenerate and redeploy any plugin manifests created with older versions to ensure they no longer contain potentially malicious, unvalidated file paths.

References