Skip to main content

Microsoft Entra ID EUVDEUVD-2026-31521

| CVE-2026-23663 HIGH
Improper Privilege Management (CWE-269)
2026-05-22 microsoft GHSA-qcvg-4gch-p3w8
7.5
CVSS 3.1 · NVD
Temporal: 6.5
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CIRCL (temporal)
6.5 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 22, 2026 - 22:47 vuln.today

DescriptionCVE.org

Improper privilege management in Azure Entra ID allows an unauthorized attacker to elevate privileges over a network.

AnalysisAI

Privilege elevation in Microsoft Entra ID (formerly Azure AD), specifically affecting Microsoft Global Secure Access (GSA), allows remote unauthenticated attackers to gain elevated privileges over the network. The CVSS 7.5 rating reflects high confidentiality impact with no required authentication or user interaction, though no public exploit has been identified at time of analysis. The vector points to a flaw in how identity or access tokens are evaluated, which is particularly sensitive given Entra ID's role as a primary IAM backbone for Microsoft 365 and Azure tenants.

Technical ContextAI

Microsoft Entra ID is Microsoft's cloud identity and access management service that authenticates and authorizes users across Microsoft 365, Azure, and federated SaaS applications. The affected component per CPE data is Microsoft Global Secure Access (GSA), Microsoft's Security Service Edge (SSE) offering that brokers network access to private and internet resources through Entra-issued identity tokens. The CWE-269 (Improper Privilege Management) classification indicates the service does not correctly enforce the authorization boundary between privilege levels - typically meaning a low-privilege or unauthenticated principal can perform operations that should be restricted to higher-tier roles, often through flawed token claim validation, role assignment logic, or scope evaluation.

RemediationAI

Patch available per vendor advisory - Microsoft has remediated the issue on the service side, so no tenant-administrator action is required to receive the fix itself; administrators should confirm the deployment status at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23663. As complementary hardening, review Entra ID sign-in and audit logs for anomalous role activations, unexpected token issuance, or unusual GSA enforcement-profile access during the exposure window, and ensure Conditional Access policies, Privileged Identity Management (PIM) just-in-time elevation, and risk-based sign-in policies are enforced for privileged roles. If GSA is not actively used in the tenant, consider disabling the traffic forwarding profiles to reduce exposure surface, with the trade-off that any in-progress private-access or internet-access policies routed through GSA will stop being enforced.

Share

EUVD-2026-31521 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy