Skip to main content

Microsoft CVE-2026-26135

| EUVDEUVD-2026-18556 CRITICAL
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-03 secure@microsoft.com
9.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 03, 2026 - 00:22 euvd
EUVD-2026-18556
Analysis Generated
Apr 03, 2026 - 00:22 vuln.today
CVE Published
Apr 03, 2026 - 00:16 nvd
CRITICAL 9.6

DescriptionCVE.org

Server-side request forgery (ssrf) in Azure Custom Locations Resource Provider (RP) allows an authorized attacker to elevate privileges over a network.

AnalysisAI

Server-side request forgery in Azure Custom Locations Resource Provider enables authenticated attackers with low-level privileges to elevate access and exfiltrate sensitive data across scope boundaries via network-based SSRF exploitation. This vulnerability affects Microsoft Azure infrastructure with a CVSS score of 9.6 (Critical), featuring scope change that allows attackers to reach resources beyond the vulnerable component's security context. No public exploit code or active exploitation confirmed at time of analysis, though the low attack complexity and network vector indicate straightforward exploitability once authenticated access is obtained.

Technical ContextAI

Azure Custom Locations Resource Provider is a Microsoft Azure infrastructure component that manages custom location resources, typically used for Azure Arc-enabled Kubernetes and other hybrid deployment scenarios. This vulnerability stems from CWE-918 (Server-Side Request Forgery), where the application accepts user-supplied URLs or similar input and uses them to make requests to internal or external resources without proper validation. The SSRF weakness allows attackers to abuse the Resource Provider's trust relationship and network position to make unauthorized requests on their behalf, potentially accessing cloud metadata services, internal APIs, or other restricted resources. The Changed Scope (S:C) in the CVSS vector indicates the vulnerability impacts resources beyond the Custom Locations RP itself, suggesting attackers can pivot to other Azure services or customer environments through the compromised component.

RemediationAI

Microsoft is responsible for patching this cloud service vulnerability as Azure Custom Locations Resource Provider is a managed Azure component rather than customer-deployed software. Organizations should monitor the official Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26135 for patch deployment status and vendor-provided mitigation guidance. As this is a cloud service, Microsoft will likely deploy fixes transparently without requiring customer action for the core vulnerability. However, customers should review Azure Activity Logs and Custom Locations access patterns for suspicious SSRF-related activity, implement least-privilege access controls for identities with Custom Locations permissions, and consider network-level restrictions on outbound connectivity from Azure Arc-enabled resources if operationally feasible. Apply defense-in-depth measures including Azure Policy restrictions on Custom Locations deployment and enhanced monitoring of Resource Provider API calls until Microsoft confirms remediation deployment across all Azure regions.

Share

CVE-2026-26135 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy