CVE-2026-41134: Kiota: Code Generation Literal Injection

April 14, 2026 (updated May 6, 2026)

Kiota versions prior to 1.31.1 are affected by a code-generation literal injection vulnerability in multiple writer sinks (for example: serialization/deserialization keys, path/query parameter mappings, URL template metadata, enum/property metadata, and default value emission).

When malicious values from an OpenAPI description are emitted into generated source without context-appropriate escaping, an attacker can break out of string literals and inject additional code into generated clients.

References

github.com/advisories/GHSA-2hx3-vp6r-mg3f
github.com/microsoft/kiota
github.com/microsoft/kiota/security/advisories/GHSA-2hx3-vp6r-mg3f
nvd.nist.gov/vuln/detail/CVE-2026-41134

Code Behaviors & Features

Detect and mitigate CVE-2026-41134 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →