Skip to main content

Azure Synapse EUVDEUVD-2026-38088

| CVE-2026-48584 HIGH
Execution with Unnecessary Privileges (CWE-250)
2026-06-19 secure@microsoft.com GHSA-wgqw-grm5-9368
8.8
CVSS 3.1 · NVD
Temporal: 8.6
Share

Severity by source

Vendor (microsoft) PRIMARY
CRITICAL
qualitative
NVD
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CIRCL (temporal)
8.6 HIGH
cvss
vuln.today AI
8.8 HIGH

Network-reachable service abused by an existing low-privileged workspace user (PR:L) with no interaction; privilege escalation yields full confidentiality, integrity, and availability impact within an unchanged scope.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (microsoft).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Updated
Jun 29, 2026 - 15:29 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 29, 2026 - 15:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 29, 2026 - 15:22 vuln.today
cvss_changed
Severity Changed
Jun 29, 2026 - 15:22 NVD
CRITICAL HIGH
CVSS changed
Jun 29, 2026 - 15:22 NVD
9.9 (CRITICAL) 8.8 (HIGH)
Analysis Generated
Jun 19, 2026 - 21:41 vuln.today
CVE Published
Jun 19, 2026 - 21:17 nvd
CRITICAL 9.9

DescriptionNVD

Execution with unnecessary privileges in Azure Synapse allows an authorized attacker to elevate privileges over a network.

AnalysisAI

Privilege escalation in Microsoft Azure Synapse (the cloud analytics service) allows an already-authorized, low-privileged attacker to elevate their privileges over the network, gaining high confidentiality, integrity, and availability impact (CVSS 8.8). The root cause is a component executing with unnecessary privileges (CWE-250), letting a tenant or workspace user with limited rights break out to a higher trust level. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as low-privileged Synapse user
Delivery
Send request to over-privileged component
Exploit
Component executes with excessive privileges
Execution
Escalate to elevated workspace role
Impact
Access or alter restricted data and pipelines

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to already be an authorized, low-privileged principal within an Azure Synapse workspace/tenant (CVSS PR:L) - this is not anonymous remote access. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed but lean toward 'real-but-not-urgent.' The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, base 8.8) indicates a network-reachable, low-complexity attack requiring some existing privileges and no user interaction, with total impact to the affected scope - consistent with SSVC's 'Technical Impact: total.' However, SSVC also reports 'Exploitation: none' and 'Automatable: no,' and EPSS is only 0.50% (39th percentile), so there is no evidence of active or imminent mass exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who already holds a low-privileged account in an Azure Synapse workspace (for example a data engineer or pipeline user) sends crafted requests to an over-privileged Synapse component, causing it to perform actions under elevated privileges and granting the attacker control over data, pipelines, or configurations they should not be able to access. No user interaction or social engineering is required, but the attacker must first possess valid limited credentials in the tenant. …
Remediation Patch available per vendor advisory: Microsoft reports a fix is available, and because Azure Synapse is a Microsoft-managed cloud service the correction is typically deployed server-side by Microsoft rather than installed by customers - review the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-48584 to confirm whether any customer-side action (e.g., updating self-hosted integration runtimes, Spark/SQL pool runtime versions, or workspace configurations) is required for full mitigation. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all Azure Synapse deployments in use and note their current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38088 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy