Skip to main content

Azure Privileged Identity Management EUVDEUVD-2026-31509

| CVE-2026-35430 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-05-22 microsoft GHSA-gq45-95jh-mxm7
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 22, 2026 - 22:48 vuln.today

DescriptionCVE.org

Authorization bypass through user-controlled key in Azure Privileged Identity Management (PIM) allows an authorized attacker to elevate privileges over a network.

AnalysisAI

Privilege escalation in Microsoft Azure Privileged Identity Management (PIM) allows an authenticated attacker to bypass authorization checks by manipulating a user-controlled key, escalating privileges over the network. The flaw stems from an Insecure Direct Object Reference (IDOR) pattern (CWE-639) where the service trusts a client-supplied identifier when making authorization decisions. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Technical ContextAI

Azure PIM is Microsoft's just-in-time privileged access management service in Entra ID (formerly Azure AD), used to grant time-bound, approval-gated elevation to roles like Global Administrator. The root cause is CWE-639 (Authorization Bypass Through User-Controlled Key), a class of IDOR flaw where the application uses an identifier supplied by the requester - such as a role assignment ID, target principal ID, or scope key - to look up or authorize an operation without independently verifying that the calling identity owns or is entitled to that resource. In a PIM context, this typically means an authenticated tenant user can substitute another principal's or role's identifier in an activation, assignment, or approval API request and have the backend honor it.

RemediationAI

Patch available per vendor advisory; because Azure PIM is a Microsoft-operated cloud service, the fix is applied server-side by Microsoft and no customer-installed update is required - administrators should confirm remediation status against the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-35430. As compensating and durable controls, tenants should audit Entra ID role assignments and PIM activation history for unexpected elevations during the exposure window, enforce approval workflows and MFA on activation of privileged roles (which limits silent abuse but adds friction for legitimate admins), tighten eligible-role membership to the minimum set of users, and enable Entra ID sign-in and audit log forwarding to a SIEM to detect anomalous role-activation or assignment-modification API calls. Restricting eligibility scope and requiring approvals does not block the underlying authorization bypass but raises the chance of detection.

Share

EUVD-2026-31509 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy