Skip to main content

Microsoft Entra Provisioning Service

1 CVEs product

Monthly

CVE-2026-57100 HIGH PATCH NEWS NO ACTION HOSTED Monitor

Privilege escalation via server-side request forgery affects the Microsoft Entra Provisioning Service (SyncFabric), where an authenticated attacker with low privileges can coerce the service into making attacker-controlled network requests to reach internal endpoints and elevate privileges across the identity provisioning fabric. Microsoft has released a fix through MSRC; there is no public exploit identified at time of analysis, and SSVC rates exploitation as none with an EPSS of 0.64%. The high CVSS of 8.8 is driven by total technical impact (C:H/I:H/A:H) against a cloud identity control plane.

SSRF Microsoft Microsoft Entra Provisioning Service
NVD VulDB
CVSS 3.1
8.8
EPSS
0.6%
EPSS 1% CVSS 8.8
HIGH PATCH NO ACTION HOSTED Monitor

Privilege escalation via server-side request forgery affects the Microsoft Entra Provisioning Service (SyncFabric), where an authenticated attacker with low privileges can coerce the service into making attacker-controlled network requests to reach internal endpoints and elevate privileges across the identity provisioning fabric. Microsoft has released a fix through MSRC; there is no public exploit identified at time of analysis, and SSVC rates exploitation as none with an EPSS of 0.64%. The high CVSS of 8.8 is driven by total technical impact (C:H/I:H/A:H) against a cloud identity control plane.

SSRF Microsoft Microsoft Entra Provisioning Service
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy