Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionCVE.org
Server-side request forgery (ssrf) in Azure Custom Locations Resource Provider (RP) allows an authorized attacker to elevate privileges over a network.
AnalysisAI
Server-side request forgery in Azure Custom Locations Resource Provider enables authenticated attackers with low-level privileges to elevate access and exfiltrate sensitive data across scope boundaries via network-based SSRF exploitation. This vulnerability affects Microsoft Azure infrastructure with a CVSS score of 9.6 (Critical), featuring scope change that allows attackers to reach resources beyond the vulnerable component's security context. No public exploit code or active exploitation confirmed at time of analysis, though the low attack complexity and network vector indicate straightforward exploitability once authenticated access is obtained.
Technical ContextAI
Azure Custom Locations Resource Provider is a Microsoft Azure infrastructure component that manages custom location resources, typically used for Azure Arc-enabled Kubernetes and other hybrid deployment scenarios. This vulnerability stems from CWE-918 (Server-Side Request Forgery), where the application accepts user-supplied URLs or similar input and uses them to make requests to internal or external resources without proper validation. The SSRF weakness allows attackers to abuse the Resource Provider's trust relationship and network position to make unauthorized requests on their behalf, potentially accessing cloud metadata services, internal APIs, or other restricted resources. The Changed Scope (S:C) in the CVSS vector indicates the vulnerability impacts resources beyond the Custom Locations RP itself, suggesting attackers can pivot to other Azure services or customer environments through the compromised component.
RemediationAI
Microsoft is responsible for patching this cloud service vulnerability as Azure Custom Locations Resource Provider is a managed Azure component rather than customer-deployed software. Organizations should monitor the official Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26135 for patch deployment status and vendor-provided mitigation guidance. As this is a cloud service, Microsoft will likely deploy fixes transparently without requiring customer action for the core vulnerability. However, customers should review Azure Activity Logs and Custom Locations access patterns for suspicious SSRF-related activity, implement least-privilege access controls for identities with Custom Locations permissions, and consider network-level restrictions on outbound connectivity from Azure Arc-enabled resources if operationally feasible. Apply defense-in-depth measures including Azure Policy restrictions on Custom Locations deployment and enhanced monitoring of Resource Provider API calls until Microsoft confirms remediation deployment across all Azure regions.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18556