Skip to main content

Planetary Computer Pro CVE-2026-41104

| EUVDEUVD-2026-31517 CRITICAL
Deserialization of Untrusted Data (CWE-502)
2026-05-22 microsoft GHSA-3h27-65jm-6x5p
10.0
CVSS 3.1 · NVD
Temporal: 8.7
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CIRCL (temporal)
8.7 HIGH
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 22, 2026 - 22:46 vuln.today

DescriptionCVE.org

Deserialization of untrusted data in Microsoft Planetary Computer Pro allows an unauthorized attacker to disclose information over a network.

AnalysisAI

Unsafe deserialization in Microsoft Planetary Computer Pro (Geocatalog) lets a remote unauthenticated attacker craft malicious serialized payloads that the service processes, resulting in information disclosure across a trust boundary. The maximum CVSS 10.0 score reflects network-reachable exploitation with no privileges or user interaction and a scope change, though no public exploit identified at time of analysis and EPSS data was not provided.

Technical ContextAI

The flaw is rooted in CWE-502 (Deserialization of Untrusted Data), a class in which an application reconstructs objects from attacker-controlled byte streams without sufficient type/whitelist validation, enabling gadget chains or type confusion to alter program state. The affected component per CPE is cpe:2.3:a:microsoft:microsoft_planetary_computer_pro_(geocatalog), Microsoft's managed Azure-hosted Planetary Computer Pro Geocatalog service, which ingests and catalogs geospatial STAC items and assets - a workflow that frequently involves parsing structured metadata and serialized objects from external sources, expanding the attack surface for untrusted input handling.

RemediationAI

Patch available per vendor advisory - apply the fix referenced in MSRC at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41104; because Planetary Computer Pro is a hosted Azure service, much of the remediation is delivered by Microsoft on the service plane, but customers should verify the patched build is rolled out to their tenant and review any client SDK or connector updates listed in the MSRC guidance. As compensating controls until confirmation of patch deployment, restrict network exposure of Geocatalog endpoints to known consumer IP ranges via Azure network security groups or Private Endpoints, enable diagnostic logging on the Geocatalog APIs to detect anomalous payloads, and avoid ingesting STAC items or asset metadata from untrusted external catalogs (trade-off: this blocks legitimate third-party data sources and may break automation that consumes public catalogs).

Share

CVE-2026-41104 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy