Skip to main content

Microsoft CVE-2026-26139

| EUVDEUVD-2026-13186 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-03-19 secure@microsoft.com
8.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 19, 2026 - 21:30 euvd
EUVD-2026-13186
Analysis Generated
Mar 19, 2026 - 21:30 vuln.today
CVE Published
Mar 19, 2026 - 21:17 nvd
HIGH 8.6

DescriptionCVE.org

Server-side request forgery (ssrf) in Microsoft Purview allows an unauthorized attacker to elevate privileges over a network.

AnalysisAI

Microsoft Purview is vulnerable to server-side request forgery (SSRF) that enables unauthenticated remote attackers to escalate privileges across network boundaries. This network-accessible vulnerability requires no user interaction and impacts the confidentiality of affected systems. No patch is currently available.

Technical ContextAI

This vulnerability affects Microsoft Purview, Microsoft's data governance and compliance platform used for managing and protecting enterprise data across cloud and on-premises environments. The issue is classified as CWE-918 (Server-Side Request Forgery), which occurs when a web application fetches remote resources without validating user-supplied URLs, allowing attackers to make the server perform requests to arbitrary destinations. The SSRF vulnerability in Purview could allow attackers to bypass network segmentation and access internal services that would normally be inaccessible from the internet.

RemediationAI

Organizations should immediately check the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26139 for available security updates and apply them according to Microsoft's guidance. As an interim mitigation, restrict network access to Purview instances using firewall rules or network segmentation to limit exposure to trusted IP ranges only. Additionally, implement robust monitoring for unusual outbound requests from Purview servers that could indicate SSRF exploitation attempts, and ensure proper input validation and URL whitelisting are configured where possible.

Share

CVE-2026-26139 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy