Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Improper privilege management in Azure Entra ID allows an unauthorized attacker to elevate privileges over a network.
AnalysisAI
Privilege elevation in Microsoft Entra ID (formerly Azure AD), specifically affecting Microsoft Global Secure Access (GSA), allows remote unauthenticated attackers to gain elevated privileges over the network. The CVSS 7.5 rating reflects high confidentiality impact with no required authentication or user interaction, though no public exploit has been identified at time of analysis. The vector points to a flaw in how identity or access tokens are evaluated, which is particularly sensitive given Entra ID's role as a primary IAM backbone for Microsoft 365 and Azure tenants.
Technical ContextAI
Microsoft Entra ID is Microsoft's cloud identity and access management service that authenticates and authorizes users across Microsoft 365, Azure, and federated SaaS applications. The affected component per CPE data is Microsoft Global Secure Access (GSA), Microsoft's Security Service Edge (SSE) offering that brokers network access to private and internet resources through Entra-issued identity tokens. The CWE-269 (Improper Privilege Management) classification indicates the service does not correctly enforce the authorization boundary between privilege levels - typically meaning a low-privilege or unauthenticated principal can perform operations that should be restricted to higher-tier roles, often through flawed token claim validation, role assignment logic, or scope evaluation.
RemediationAI
Patch available per vendor advisory - Microsoft has remediated the issue on the service side, so no tenant-administrator action is required to receive the fix itself; administrators should confirm the deployment status at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23663. As complementary hardening, review Entra ID sign-in and audit logs for anomalous role activations, unexpected token issuance, or unusual GSA enforcement-profile access during the exposure window, and ensure Conditional Access policies, Privileged Identity Management (PIM) just-in-time elevation, and risk-based sign-in policies are enforced for privileged roles. If GSA is not actively used in the tenant, consider disabling the traffic forwarding profiles to reduce exposure surface, with the trade-off that any in-progress private-access or internet-access policies routed through GSA will stop being enforced.
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31521
GHSA-qcvg-4gch-p3w8