Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
Externally controlled reference to a resource in another sphere in Microsoft Partner Center allows an unauthorized attacker to perform spoofing over a network.
AnalysisAI
Remote unauthenticated attackers can exploit a server-side request forgery (SSRF) vulnerability in Microsoft Partner Center to access internal resources and perform spoofing attacks. The vulnerability allows high-level information disclosure with limited integrity impact, requiring no user interaction or special privileges. Microsoft has released a security patch, and while CVSS rates this 8.2 (High), no active exploitation or public proof-of-concept has been identified at time of analysis.
Technical ContextAI
This is a CWE-610 (Externally Controlled Reference to a Resource in Another Sphere) vulnerability, commonly manifested as Server-Side Request Forgery (SSRF). The flaw occurs when Microsoft Partner Center accepts user-controlled input to construct resource references (URLs, file paths, or internal service calls) without proper validation. This allows attackers to manipulate the application into accessing unintended internal resources, cloud metadata services, or backend systems that should be isolated from external access. The CPE identifier (cpe:2.3:a:microsoft:microsoft_partner_center) indicates the vulnerability affects the Microsoft Partner Center platform, which is a web-based portal used by Microsoft partners to manage customer relationships, subscriptions, and billing. SSRF vulnerabilities in cloud-based management platforms are particularly dangerous because they can expose cloud instance metadata, internal APIs, and administrative interfaces not intended for public access.
RemediationAI
Apply the vendor-released security update immediately by consulting the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-34327 for specific patch deployment instructions. Microsoft Partner Center is a cloud-hosted SaaS platform, so remediation typically involves Microsoft applying updates to the production environment rather than customer-side patching, though organizations should verify their tenant has received the update through the Microsoft 365 admin center or Partner Center notifications. Until confirmation of patch deployment, implement compensating controls by restricting network access to Partner Center administrative functions through conditional access policies, enabling multi-factor authentication for all partner accounts (reducing risk from potential credential exposure via SSRF), and monitoring Partner Center audit logs for unusual API calls or access patterns to internal resources. Note that network-level mitigations are limited for cloud SaaS platforms, and the primary mitigation remains verifying Microsoft has applied the security update to your tenant. Organizations should also review Partner Center permissions and apply principle of least privilege to limit potential impact from any SSRF-enabled information disclosure.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28452
GHSA-jvw8-2m5m-9449