Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Origin validation error in Microsoft Entra ID allows an unauthorized attacker to elevate privileges over a network.
AnalysisAI
Privilege escalation in Microsoft Entra ID enables remote unauthenticated attackers to bypass origin validation and gain elevated privileges across tenant boundaries (scope-changed). The CVSS 10.0 rating reflects maximum impact across confidentiality, integrity, and availability with no authentication or user interaction required, though no public exploit has been identified at time of analysis and EPSS data is not provided.
Technical ContextAI
Microsoft Entra ID (formerly Azure Active Directory) is Microsoft's cloud-based identity and access management service used for authentication, single sign-on, and authorization across Microsoft 365, Azure, and federated third-party applications. The root cause is CWE-346 (Origin Validation Error), where the service fails to correctly verify the origin or source of a request, allowing requests from untrusted origins to be processed as if they came from trusted contexts. In identity provider contexts, origin validation failures typically affect token issuance, OAuth/OIDC flows, or cross-tenant request handling, enabling attackers to impersonate trusted callers or cross security boundaries.
RemediationAI
Patch available per vendor advisory - Microsoft has indicated a fix is available via the MSRC update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42901. As Entra ID is a Microsoft-hosted cloud service, the remediation is applied server-side by Microsoft and does not require customer action to deploy code patches. Customers should nonetheless review Entra ID sign-in logs and audit logs for anomalous token issuance, unexpected cross-tenant access, or unusual application consent activity during the pre-disclosure window, enforce Conditional Access policies requiring compliant devices and MFA for privileged roles, and ensure Privileged Identity Management (PIM) is used for just-in-time elevation to limit standing privileges that an origin-validation bypass could be combined with.
Same weakness CWE-346 – Origin Validation Error
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31522
GHSA-2jpj-7p7q-hfqj