Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Server-side request forgery (ssrf) in Azure Cloud Shell allows an unauthorized attacker to elevate privileges over a network.
AnalysisAI
Azure Cloud Shell contains a server-side request forgery vulnerability that allows unauthenticated remote attackers to escalate privileges without user interaction. The vulnerability affects Microsoft products and has a critical CVSS score of 10.0, though no patch is currently available. Attackers can leverage network access to achieve privilege elevation across system boundaries.
Technical ContextAI
Server-side request forgery (SSRF) vulnerabilities, classified under CWE-918, occur when an application can be tricked into making HTTP requests to arbitrary destinations on behalf of the server, potentially accessing internal resources or bypassing security controls. Azure Cloud Shell is a browser-based command-line interface that provides authenticated access to manage Azure resources through either Bash or PowerShell environments. The SSRF vulnerability in this cloud-based terminal service could allow attackers to make unauthorized requests from within Microsoft's infrastructure, potentially accessing internal Azure services, metadata endpoints, or other restricted resources that would normally be inaccessible from the public internet.
RemediationAI
Microsoft has not yet released specific version information or patches for this vulnerability based on the available references. Organizations should monitor the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32169 for updates on patches or mitigations. Until a fix is available, consider implementing compensating controls such as restricting Azure Cloud Shell access to trusted IP ranges through Conditional Access policies, enabling additional monitoring and alerting for unusual Cloud Shell activities, and reviewing Azure Activity Logs for suspicious command executions or network requests originating from Cloud Shell sessions.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13204