Skip to main content
Mallory

Microsoft discloses SSRF flaws in Purview, Entra ID, and Dynamics 365 Online

cloud-service-vulnerabilityidentity-authentication-vulnerabilitywidely-deployed-product-advisory
Updated April 23, 2026 at 11:04 PM3 sources
Share:
Microsoft discloses SSRF flaws in Purview, Entra ID, and Dynamics 365 Online

Get Ahead of Threats Like This

Know if you're exposed. Before adversaries strike.

Microsoft published three high-severity cloud-service vulnerabilities affecting Microsoft Purview eDiscovery, Microsoft Entra ID Entitlement Management, and Microsoft Dynamics 365 Online. The flaws are tracked as CVE-2026-26150, CVE-2026-35431, and CVE-2026-32210, and all are classified as server-side request forgery (SSRF) under CWE-918. Microsoft tagged each issue as affecting an exclusively hosted service, indicating exposure in Microsoft-managed online environments rather than on-premises deployments.

According to the CVE records, CVE-2026-26150 could let an unauthorized attacker elevate privileges over a network in Purview eDiscovery, while CVE-2026-35431 and CVE-2026-32210 could enable spoofing in Entra ID Entitlement Management and Dynamics 365 Online. The published CVSS v3.1 vectors show low attack complexity and no required privileges across all three issues, with Entra ID carrying the broadest potential impact to confidentiality, integrity, and availability, and Dynamics 365 requiring user interaction. Microsoft linked the disclosures to its Security Response Center guidance for customer tracking and remediation.

Timeline

  1. Apr 23, 2026

    Microsoft publishes CVE-2026-35431 for Entra ID Entitlement Management SSRF spoofing flaw

    On 2026-04-23, Microsoft published CVE-2026-35431 affecting Microsoft Entra ID Entitlement Management. The issue is described as an SSRF vulnerability that could allow an unauthorized attacker to perform spoofing over a network.

  2. Apr 23, 2026

    Microsoft publishes CVE-2026-32210 for Dynamics 365 Online SSRF spoofing flaw

    On 2026-04-23, Microsoft published CVE-2026-32210 affecting Microsoft Dynamics 365 Online. The vulnerability is described as an SSRF issue that could let an unauthorized attacker perform spoofing over a network.

  3. Apr 23, 2026

    Microsoft publishes CVE-2026-26150 for Purview eDiscovery SSRF privilege escalation

    On 2026-04-23, Microsoft published CVE-2026-26150 affecting Microsoft Purview eDiscovery. The flaw is described as a server-side request forgery vulnerability that could allow an unauthorized attacker to elevate privileges over a network.

See the full picture in Mallory

Mallory subscribers get deeper analysis on every story, including:

Impact Assessment

Who’s affected and how

Technical Details

Deep-dive technical analysis

Response Recommendations

Actionable next steps for your team

Indicators of Compromise

IPs, domains, hashes, and more

AI Threads

Ask questions and take action on every story

Advanced Filters

Filter by topic, classification, timeframe

Scheduled Alerts

Get matching stories delivered automatically

Sources

cvefeed high severity
CVE-2026-35431 - Microsoft Entra ID Entitlement Management Spoofing Vulnerability
April 23, 2026 at 12:00 AM
cvefeed high severity
CVE-2026-26150 - Microsoft Purview eDiscovery Elevation of Privilege Vulnerability
April 23, 2026 at 12:00 AM
cvefeed high severity
CVE-2026-32210 - Microsoft Dynamics 365 (online) Spoofing Vulnerability
April 23, 2026 at 12:00 AM

Related Stories

Microsoft Fixes Privilege Escalation and Spoofing Flaws in Azure Databricks and Cloud Services

Microsoft Fixes Privilege Escalation and Spoofing Flaws in Azure Databricks and Cloud Services

Microsoft disclosed three cloud-service vulnerabilities affecting **Azure Databricks**, **Microsoft Purview eDiscovery**, and **Microsoft Entra ID Entitlement Management**. The issues are tracked as **`CVE-2026-33107`**, an elevation-of-privilege flaw in Azure Databricks; **`CVE-2026-26150`**, an elevation-of-privilege flaw in Microsoft Purview eDiscovery; and **`CVE-2026-35431`**, a spoofing flaw in Microsoft Entra ID Entitlement Management. Microsoft published the advisories through its Security Update Guide, indicating that multiple enterprise cloud components required security attention at the same time. The affected products span analytics, compliance, and identity governance functions that are widely used in Microsoft-centric environments. While Microsoft provided limited public technical detail in the advisories, the vulnerability classifications indicate potential risks including unauthorized privilege gains in Databricks and Purview workflows, as well as identity or trust abuse scenarios involving Entra ID Entitlement Management. Organizations using these services should review the relevant Microsoft advisories, assess exposure in tenant configurations, and apply available mitigations or service updates through normal cloud security and change-management processes.

1 weeks ago
Microsoft Discloses Multiple Critical Cloud and AI Service Vulnerabilities

Microsoft Discloses Multiple Critical Cloud and AI Service Vulnerabilities

Microsoft published several **critical** security advisories affecting cloud and AI services, including **Azure Cloud Shell**, **Azure DevOps**, **Azure Data Factory**, **Microsoft Copilot**, **M365 Copilot**, **Microsoft 365 Copilot BizChat**, **Microsoft Bing**, and **Bing Images**. The issues span **elevation of privilege**, **information disclosure**, **tampering**, and **remote code execution**, with listed weakness classes including **SSRF** (`CWE-918`), **insufficiently protected credentials** (`CWE-522`), **sensitive information exposure** (`CWE-200`), and **command injection** (`CWE-77`/`CWE-78`). Several advisories state that the vulnerabilities **require no customer action to resolve**, indicating Microsoft-managed remediation for affected online services. The most severe disclosures include **CVE-2026-32169** in *Azure Cloud Shell* with a **CVSS 10.0** elevation-of-privilege rating, **CVE-2026-32191** in *Microsoft Bing Images* with a **CVSS 9.8** remote code execution rating, and high-impact flaws in *Azure DevOps* (**CVE-2026-23658**), *Azure Data Factory* (**CVE-2026-23659**), and *Microsoft 365 Copilot BizChat* (**CVE-2026-26137**). Separate advisories also cover information disclosure in *Microsoft Copilot* (**CVE-2026-26136**) and *M365 Copilot* (**CVE-2026-24299**), plus a tampering flaw in *Microsoft Bing* (**CVE-2026-26120**). A separate report on the **RegPwn** Windows Registry privilege-escalation bug (**CVE-2026-24291**) describes a different issue in Windows accessibility and Secure Desktop handling and is not part of the same Microsoft cloud-service disclosure set.

1 weeks ago
Microsoft Discloses Elevation of Privilege Flaws in MMC, Partner Center, and Microsoft 365 Copilot

Microsoft Discloses Elevation of Privilege Flaws in MMC, Partner Center, and Microsoft 365 Copilot

Microsoft published security advisories for three **elevation of privilege** vulnerabilities affecting **Microsoft Management Console**, **Microsoft Partner Center**, and **Microsoft 365 Copilot**. The issues are tracked as `CVE-2026-27914`, `CVE-2026-24303`, and `CVE-2026-33102`, respectively, and were added to the Microsoft Security Update Guide as separate product-specific flaws. The disclosures indicate that both on-premises administrative tooling and cloud-connected Microsoft services are affected by privilege-escalation weaknesses. While Microsoft did not provide public synopses in the referenced advisories, the listings identify the impacted products and classify each issue as an elevation of privilege vulnerability, signaling potential risk to administrators, partners, and enterprise users relying on those platforms.

1 weeks ago

Get Ahead of Threats Like This

Mallory continuously monitors global threat intelligence and correlates it with your attack surface. Know if you're exposed. Before adversaries strike.