Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable SSRF requiring a low-privileged authenticated identity (PR:L), no user interaction, with total impact per SSVC on the identity fabric yields C:H/I:H/A:H.
Primary rating from Vendor (microsoft).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
7DescriptionNVD
Server-side request forgery (ssrf) in Microsoft Entra Provisioning Service (SyncFabric) allows an authorized attacker to elevate privileges over a network.
AnalysisAI
Privilege escalation via server-side request forgery affects the Microsoft Entra Provisioning Service (SyncFabric), where an authenticated attacker with low privileges can coerce the service into making attacker-controlled network requests to reach internal endpoints and elevate privileges across the identity provisioning fabric. Microsoft has released a fix through MSRC; there is no public exploit identified at time of analysis, and SSVC rates exploitation as none with an EPSS of 0.64%. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated foothold: the CVSS vector specifies PR:L, so the attacker must already hold a low-privileged authorized identity able to interact with the Microsoft Entra Provisioning Service (SyncFabric) - this is not exploitable by anonymous internet users. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are somewhat divergent and should be weighed together. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained a low-privileged authenticated identity within a tenant submits crafted provisioning configuration or input that causes the SyncFabric service to issue an outbound request to an attacker-chosen internal endpoint. By reaching internal metadata or trusted service endpoints that the provisioning service can access but the user cannot, the attacker elevates privileges within the identity fabric. … |
| Remediation | Because Microsoft Entra Provisioning Service is a cloud-hosted service, remediation is primarily vendor-side: Microsoft reports a patch is available and has been rolled out through the service, so no customer-installed update is required - review the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-57100 for confirmation of remediation status and any tenant-side guidance. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all SyncFabric instances, document current versions, and verify administrative access is properly restricted. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41442
GHSA-29v8-q543-pf5w