Skip to main content

Microsoft Entra ID CVE-2026-42901

| EUVDEUVD-2026-31522 CRITICAL
Origin Validation Error (CWE-346)
2026-05-22 microsoft GHSA-2jpj-7p7q-hfqj
10.0
CVSS 3.1 · NVD
Temporal: 8.7
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CIRCL (temporal)
8.7 HIGH
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 22, 2026 - 22:47 vuln.today

DescriptionCVE.org

Origin validation error in Microsoft Entra ID allows an unauthorized attacker to elevate privileges over a network.

AnalysisAI

Privilege escalation in Microsoft Entra ID enables remote unauthenticated attackers to bypass origin validation and gain elevated privileges across tenant boundaries (scope-changed). The CVSS 10.0 rating reflects maximum impact across confidentiality, integrity, and availability with no authentication or user interaction required, though no public exploit has been identified at time of analysis and EPSS data is not provided.

Technical ContextAI

Microsoft Entra ID (formerly Azure Active Directory) is Microsoft's cloud-based identity and access management service used for authentication, single sign-on, and authorization across Microsoft 365, Azure, and federated third-party applications. The root cause is CWE-346 (Origin Validation Error), where the service fails to correctly verify the origin or source of a request, allowing requests from untrusted origins to be processed as if they came from trusted contexts. In identity provider contexts, origin validation failures typically affect token issuance, OAuth/OIDC flows, or cross-tenant request handling, enabling attackers to impersonate trusted callers or cross security boundaries.

RemediationAI

Patch available per vendor advisory - Microsoft has indicated a fix is available via the MSRC update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42901. As Entra ID is a Microsoft-hosted cloud service, the remediation is applied server-side by Microsoft and does not require customer action to deploy code patches. Customers should nonetheless review Entra ID sign-in logs and audit logs for anomalous token issuance, unexpected cross-tenant access, or unusual application consent activity during the pre-disclosure window, enforce Conditional Access policies requiring compliant devices and MFA for privileged roles, and ensure Privileged Identity Management (PIM) is used for just-in-time elevation to limit standing privileges that an origin-validation bypass could be combined with.

Share

CVE-2026-42901 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy