Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Server-side request forgery (ssrf) in Microsoft Purview allows an unauthorized attacker to elevate privileges over a network.
AnalysisAI
Microsoft Purview contains a server-side request forgery vulnerability that allows unauthenticated remote attackers to escalate privileges across network boundaries. An attacker can exploit this flaw without user interaction to gain unauthorized access to sensitive resources and functionality. No patch is currently available.
Technical ContextAI
This vulnerability is classified as CWE-918 (Server-Side Request Forgery), where the application can be tricked into making unauthorized requests to internal resources or external systems. Microsoft Purview is a unified data governance solution that manages and governs on-premises, multicloud, and software-as-a-service data. The SSRF vulnerability allows attackers to bypass security controls and potentially access sensitive internal resources that should not be directly accessible from the internet. The changed scope (S:C) in the CVSS vector indicates the vulnerability can impact resources beyond the vulnerable component itself.
RemediationAI
Apply the security update from Microsoft when available through the Microsoft Security Response Center update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26138. Until a patch is available, implement network segmentation to restrict access to Microsoft Purview instances from untrusted networks, deploy web application firewalls with SSRF protection rules, and monitor for suspicious outbound requests from Purview servers. Review and restrict any URL input fields or data connectors that could be exploited for SSRF attacks.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13185