CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2026-33107

CVSS 10.0v3.1pub. 2026-04-03upd. 2026-04-06

Server-side request forgery (ssrf) in Azure Databricks allows an unauthorized attacker to elevate privileges over a network.

🤖 AI Analysis
How it works

The SSRF class vulnerability (CWE-918) involves a server-side application executing network requests based on data controlled by an attacker, without proper validation. In the case of Azure Databricks, an unauthenticated network attacker can craft requests directed to internal resources within the cloud environment. Exploiting this vulnerability leads to privilege escalation, potentially giving the attacker access to resources and data unavailable to regular users. The attack vector is network-based, with no authentication requirement (PR:N) and no user interaction (UI:N), which means full remote exploitation.

Impact

An attacker can gain full control over Azure Databricks environment resources, including confidentiality, integrity, and availability of data — all three dimensions rated as HIGH with extended attack scope (S:C). In practice, this means the possibility of unauthorized access to internal services, data theft, and potential takeover of infrastructure control.

Mitigation & patch

Apply patches available from the vendor according to references: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33107. It is recommended to immediately monitor Microsoft Security Response Center communications and apply updates promptly upon release. Additionally, it is advisable to restrict network access to Azure Databricks environments only to trusted sources and monitor outgoing traffic from instances for anomalies.

Who is affected

Microsoft Azure Databricks — versions indicated in vendor references (Microsoft Security Response Center).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Microsoft Azure Databricks

    APP
    Microsoft
    wszystkie wersje
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
SSRF
CWE
References

Related vulnerabilities

CVE-2026-8398CRITICAL9.3⚠ KEVPL ✓ten sam vendor

Atak na łańcuch dostaw DAEMON Tools Lite — trojanizacja instalatorów

CVE-2026-20963CRITICAL9.8⚠ KEVPL ✓ten sam vendor

RCE przez deserializację niezaufanych danych w Microsoft SharePoint Server

CVE-2025-59287CRITICAL9.8⚠ KEVPL ✓ten sam vendor

RCE w Windows Server Update Service (WSUS) — deserializacja danych

CVE-2025-10585CRITICAL9.8⚠ KEVPL ✓ten sam vendor

Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty

CVE-2025-53770CRITICAL9.8⚠ KEVPL ✓ten sam vendor

RCE przez deserialization w Microsoft SharePoint Server (on-premises)