Skip to main content

Microsoft CVE-2026-33107

| EUVDEUVD-2026-18564 CRITICAL
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-03 secure@microsoft.com GHSA-xrc8-933j-f74c
10.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Apr 03, 2026 - 00:22 euvd
EUVD-2026-18564
Analysis Generated
Apr 03, 2026 - 00:22 vuln.today
CVE Published
Apr 03, 2026 - 00:16 nvd
CRITICAL 10.0

DescriptionCVE.org

Server-side request forgery (ssrf) in Azure Databricks allows an unauthorized attacker to elevate privileges over a network.

AnalysisAI

Server-side request forgery in Azure Databricks enables unauthenticated remote attackers to achieve full privilege escalation with critical impact across confidentiality, integrity, and availability. The vulnerability carries a maximum CVSS 10.0 score with network-based attack vector, low complexity, and scope change, indicating attackers can leverage the SSRF to break out of Databricks' security boundary and access underlying cloud infrastructure or customer data. No public exploit or active exploitation confirmed at time of analysis, though the low attack complexity suggests straightforward exploitation once attack surface is identified.

Technical ContextAI

Server-side request forgery (CWE-918) vulnerabilities occur when an application accepts user-supplied URLs or hostnames and fetches remote resources without proper validation, allowing attackers to make the server send crafted requests to arbitrary destinations. In cloud platforms like Azure Databricks-a managed Apache Spark analytics service-SSRF can be particularly severe because the service runs with elevated cloud IAM permissions and access to internal metadata services (e.g., Azure Instance Metadata Service at 169.254.169.254). Attackers can abuse SSRF to retrieve cloud credentials, access internal APIs, pivot to backend databases, or interact with co-tenant resources. The scope change (S:C) in the CVSS vector indicates the vulnerable component affects resources beyond its own authorization scope, consistent with breaking out of the Databricks workspace boundary to access underlying Azure infrastructure or other customer environments.

RemediationAI

Organizations should immediately review the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33107 for vendor-specific remediation guidance and patch availability. As Azure Databricks is a managed service, Microsoft typically deploys security updates automatically to the platform infrastructure without requiring customer action, but customers should verify their workspaces have received updates through Azure Service Health notifications or direct confirmation with Microsoft support. Until confirmed patched, implement defense-in-depth controls including restricting network access to Databricks workspaces through Azure Private Link or VNet injection, enforcing identity-based access controls with Azure Active Directory conditional access policies, enabling diagnostic logging to detect anomalous outbound requests, and reviewing workspace configurations to minimize blast radius if credential theft occurs. Organizations should audit recent Databricks access logs for suspicious patterns including unexpected outbound network connections, metadata service queries, or privilege escalation attempts that may indicate prior exploitation.

Share

CVE-2026-33107 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy