Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Authorization bypass through user-controlled key in Azure Privileged Identity Management (PIM) allows an authorized attacker to elevate privileges over a network.
AnalysisAI
Privilege escalation in Microsoft Azure Privileged Identity Management (PIM) allows an authenticated attacker to bypass authorization checks by manipulating a user-controlled key, escalating privileges over the network. The flaw stems from an Insecure Direct Object Reference (IDOR) pattern (CWE-639) where the service trusts a client-supplied identifier when making authorization decisions. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Technical ContextAI
Azure PIM is Microsoft's just-in-time privileged access management service in Entra ID (formerly Azure AD), used to grant time-bound, approval-gated elevation to roles like Global Administrator. The root cause is CWE-639 (Authorization Bypass Through User-Controlled Key), a class of IDOR flaw where the application uses an identifier supplied by the requester - such as a role assignment ID, target principal ID, or scope key - to look up or authorize an operation without independently verifying that the calling identity owns or is entitled to that resource. In a PIM context, this typically means an authenticated tenant user can substitute another principal's or role's identifier in an activation, assignment, or approval API request and have the backend honor it.
RemediationAI
Patch available per vendor advisory; because Azure PIM is a Microsoft-operated cloud service, the fix is applied server-side by Microsoft and no customer-installed update is required - administrators should confirm remediation status against the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-35430. As compensating and durable controls, tenants should audit Entra ID role assignments and PIM activation history for unexpected elevations during the exposure window, enforce approval workflows and MFA on activation of privileged roles (which limits silent abuse but adds friction for legitimate admins), tighten eligible-role membership to the minimum set of users, and enable Entra ID sign-in and audit log forwarding to a SIEM to detect anomalous role-activation or assignment-modification API calls. Restricting eligibility scope and requiring approvals does not block the underlying authorization bypass but raises the chance of detection.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31509
GHSA-gq45-95jh-mxm7