Deserialization of untrusted data in Microsoft Planetary Computer Pro allows an unauthorized attacker to disclose information over a network.
An attacker sends specially crafted data over the network, which the Microsoft Planetary Computer Pro application deserializes without proper verification of its origin and content. The process of deserializing untrusted data can lead to unintended server-side logic execution. The attack vector is network-based, requires no authentication or any user interaction, and the vulnerability affects components outside the direct scope of the application (Scope: Changed).
An attacker can gain unauthorized access to sensitive information processed or stored by Microsoft Planetary Computer Pro. High impact on confidentiality, integrity, and availability indicates the possibility of serious compromise of the environment in which the application operates.
Apply patches available from the vendor according to the references — details regarding the patched version are available in the Microsoft Security Response Center at: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41104
Microsoft Planetary Computer Pro — versions indicated in the vendor's references
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HMicrosoft Planetary Computer
APPMicrosoftwszystkie wersje
Related vulnerabilities
Atak na łańcuch dostaw DAEMON Tools Lite — trojanizacja instalatorów
RCE przez deserializację niezaufanych danych w Microsoft SharePoint Server
RCE w Windows Server Update Service (WSUS) — deserializacja danych
Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty
RCE przez deserialization w Microsoft SharePoint Server (on-premises)