Skip to main content

Azure Synapse CVE-2026-26145

| EUVDEUVD-2026-41444 CRITICAL
Improper Access Control (CWE-284)
2026-07-02 microsoft GHSA-g6fh-wh88-hxp9
Critical
Disputed · 9.8 NVD
Temporal: 4.3
Share

Severity by source

Sources disagree (Medium–Critical)
Vendor (microsoft) PRIMARY
MEDIUM
qualitative
NVD
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ENISA EUVD
HIGH
qualitative
CIRCL (temporal)
4.3 MEDIUM
cvss
vuln.today AI
8.8 HIGH

Description states an 'authorized attacker,' so PR:L rather than PR:N; network vector and low complexity retained, with total technical impact giving C/I/A:H.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Jul 07, 2026 - 14:43 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 07, 2026 - 14:43 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 07, 2026 - 14:37 vuln.today
cvss_changed
Severity Changed
Jul 07, 2026 - 14:37 NVD
MEDIUM CRITICAL
CVSS changed
Jul 07, 2026 - 14:37 NVD
4.8 (MEDIUM) 9.8 (CRITICAL)
Analysis Generated
Jul 02, 2026 - 22:52 vuln.today

DescriptionNVD

Improper access control in Azure Synapse allows an authorized attacker to elevate privileges over a network.

AnalysisAI

Privilege elevation in Microsoft Azure Synapse Analytics allows a network-based, authorized attacker to bypass improper access controls and gain higher privileges than assigned. The flaw carries a critical 9.8 CVSS with full confidentiality, integrity, and availability impact, though its EPSS probability is modest (0.33%, 24th percentile) and CISA SSVC records no observed exploitation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with low-privilege Synapse identity
Delivery
Send crafted request over network
Exploit
Bypass improper access control check
Execution
Elevate to higher-privileged role
Impact
Gain total control of data resources

Vulnerability AssessmentAI

Exploitation The description specifies an 'authorized attacker' elevating privileges over a network, so the concrete prerequisite is possession of an existing authorized/authenticated identity with network reachability to the Azure Synapse service - this directly contradicts the CVSS PR:N and indicates at least low-privilege authentication is required in practice. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are notably in tension and should be weighed carefully. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker holding a low-privilege authorized identity within (or reachable to) an Azure Synapse workspace sends crafted requests over the network that exploit the missing authorization check, causing the service to grant actions beyond the attacker's assigned role. Leveraging the low attack complexity, the attacker escalates to a higher-privileged context and gains total control over the affected data and processing resources. …
Remediation Because Azure Synapse is a Microsoft-managed cloud service, remediation is primarily service-side: Microsoft reports a patch is available per the Security Update Guide (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26145), and customers should confirm their workspaces are running the updated service and apply any customer-actionable steps Microsoft specifies there. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Synapse Analytics deployments and classify by data sensitivity; alert affected teams that a critical patch is available. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-26145 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy