Skip to main content

Azure Monitor Action Group CVE-2026-41105

| EUVDEUVD-2026-28457 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-07 microsoft GHSA-96jg-8w8q-qmmc
8.1
CVSS 3.1 · NVD
Temporal: 7.1
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
ENISA EUVD
HIGH
qualitative
CIRCL (temporal)
7.1 HIGH
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 07, 2026 - 22:01 vuln.today
CVE Published
May 07, 2026 - 20:58 nvd
HIGH 8.1

DescriptionCVE.org

Server-side request forgery (ssrf) in Azure Notification Service allows an authorized attacker to elevate privileges over a network.

AnalysisAI

Server-side request forgery in Azure Monitor Action Group Notification System allows authenticated attackers with low privileges to access internal Azure resources and escalate privileges over the network. Microsoft has released a patch addressing this SSRF vulnerability. The attack requires low complexity and no user interaction, enabling authenticated users to abuse the notification service to make unauthorized requests to internal services, potentially accessing high-value confidential data or performing privileged operations within the Azure environment.

Technical ContextAI

This vulnerability affects the Azure Monitor Action Group Notification System, a cloud service component responsible for triggering notifications based on Azure Monitor alerts. The flaw is classified as CWE-918 (Server-Side Request Forgery), where insufficient validation of user-supplied URLs allows attackers to manipulate the server into making HTTP requests to arbitrary destinations. In Azure cloud environments, SSRF vulnerabilities are particularly dangerous because they can bypass network segmentation, access metadata endpoints (such as Azure Instance Metadata Service at 169.254.169.254), retrieve managed identity tokens, or interact with internal services not exposed to the internet. The affected component is identified by CPE as the Azure Monitor Action Group Notification System, which integrates with multiple Azure services to deliver alerts via webhooks, email, SMS, and other channels.

RemediationAI

Microsoft has released an official patch for this vulnerability, available through the Azure platform's automatic service updates. Customers should verify their Azure Monitor Action Group configurations have received the security update by consulting the Microsoft Security Response Center update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41105. As Azure is a managed service, patches are typically applied automatically by Microsoft, but customers should confirm application and review audit logs for any suspicious Action Group modifications or unusual webhook activity during the vulnerable period. As a compensating control while verifying patch status, organizations can implement Azure Policy to restrict Action Group creation and modification permissions to only highly privileged administrators, reducing the attack surface from PR:L to PR:H effectively. Additionally, enable Azure Monitor Activity Logs to detect unauthorized Action Group changes and implement network egress filtering rules to limit outbound connectivity from Azure resources to only approved external endpoints. These controls add operational overhead by centralizing Action Group management but significantly reduce exploitation risk in multi-user environments.

Share

CVE-2026-41105 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy