Skip to main content

Azure Active Directory CVE-2026-50652

| EUVDEUVD-2026-43781 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-07-14 microsoft GHSA-79fq-78m6-5rrm
7.5
CVSS 3.1 · Vendor: microsoft
Share

Severity by source

Vendor (microsoft) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
ENISA EUVD
HIGH
qualitative
vuln.today AI
7.5 HIGH

Network-reachable, low-complexity, unauthenticated deserialization with no user interaction (AV:N/AC:L/PR:N/UI:N); impact limited to availability so C:N/I:N/A:H, scope unchanged.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (microsoft).

CVSS VectorVendor: microsoft

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 18:17 vuln.today
CVE Published
Jul 14, 2026 - 17:05 nvd
HIGH 7.5

DescriptionCVE.org

Deserialization of untrusted data in Azure Active Directory allows an unauthorized attacker to deny service over a network.

AnalysisAI

Denial of service in Microsoft Azure Active Directory (now Entra ID) allows a remote, unauthenticated attacker to disrupt service availability by sending crafted serialized data that triggers unsafe deserialization (CWE-502). The flaw carries a CVSS 7.5 (High) with a fully network-reachable, no-privilege, no-interaction vector, but impact is confined to availability - confidentiality and integrity are not affected. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach network-exposed Azure AD endpoint
Delivery
Send crafted serialized payload
Exploit
Trigger unsafe deserialization (CWE-502)
Execution
Exhaust resources or crash handler
Impact
Deny identity service to users

Vulnerability AssessmentAI

Exploitation No special conditions - remote unauthenticated exploitation (AV:N/AC:L/PR:N/UI:N) against a network-reachable Azure Active Directory endpoint, requiring only the ability to send a crafted serialized request. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are moderately consistent but point to a real, easily-triggered availability risk rather than a catastrophic compromise. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A remote, unauthenticated attacker sends a crafted serialized payload to a network-exposed Azure AD processing endpoint, triggering unsafe deserialization that exhausts resources or crashes the handling component and denies authentication/identity service to legitimate users and applications. No credentials, user interaction, or non-default configuration are required, making the request trivial to send. …
Remediation Patch available per vendor advisory: Microsoft has released a fix, published at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50652 - review that advisory for the exact affected components and any customer action required, as much of the fix for a cloud identity service is applied by Microsoft platform-side and may need no direct action. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, assess organizational exposure to CVE-2026-50652, identify all Azure AD instances in use, and obtain the patch version from Microsoft Security Response Center (MSRC). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-50652 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy