Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Server-side request forgery (ssrf) in Microsoft Purview allows an unauthorized attacker to elevate privileges over a network.
AnalysisAI
Microsoft Purview is vulnerable to server-side request forgery (SSRF) that enables unauthenticated remote attackers to escalate privileges across network boundaries. This network-accessible vulnerability requires no user interaction and impacts the confidentiality of affected systems. No patch is currently available.
Technical ContextAI
This vulnerability affects Microsoft Purview, Microsoft's data governance and compliance platform used for managing and protecting enterprise data across cloud and on-premises environments. The issue is classified as CWE-918 (Server-Side Request Forgery), which occurs when a web application fetches remote resources without validating user-supplied URLs, allowing attackers to make the server perform requests to arbitrary destinations. The SSRF vulnerability in Purview could allow attackers to bypass network segmentation and access internal services that would normally be inaccessible from the internet.
RemediationAI
Organizations should immediately check the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26139 for available security updates and apply them according to Microsoft's guidance. As an interim mitigation, restrict network access to Purview instances using firewall rules or network segmentation to limit exposure to trusted IP ranges only. Additionally, implement robust monitoring for unusual outbound requests from Purview servers that could indicate SSRF exploitation attempts, and ensure proper input validation and URL whitelisting are configured where possible.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13186