CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2026-42901

CVSS 10.0v3.1pub. 2026-05-22upd. 2026-05-27

Origin validation error in Microsoft Entra ID allows an unauthorized attacker to elevate privileges over a network.

🤖 AI Analysis
How it works

The vulnerability results from a request origin validation error (CWE-346 — Origin Validation Error), meaning that Microsoft Entra ID incorrectly verifies the source of a network request. An attacker can send crafted requests that are treated as originating from a trusted source. This makes it possible to bypass access control mechanisms and obtain elevated privileges without possessing any credentials.

Impact

An unauthenticated attacker can obtain elevated privileges in the Microsoft Entra ID environment, potentially leading to full takeover of identities, resources, and service configuration beyond the original attack context (scope changed).

Mitigation & patch

Patches available from the vendor should be applied according to the references: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42901

Who is affected

Microsoft Entra ID — versions specified in the vendor's references

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Microsoft Entra Id

    APP
    Microsoft
    wszystkie wersje
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2026-33843CRITICAL9.1PL ✓ten sam produkt

Obejście uwierzytelnienia w Microsoft Azure Active Directory B2C

CVE-2026-40379CRITICAL9.3PL ✓ten sam produkt

Ujawnienie wrażliwych danych w Azure Entra ID umożliwiające spoofing

CVE-2026-35431CRITICAL10.0PL ✓ten sam produkt

SSRF w Microsoft Entra ID Entitlement Management umożliwia spoofing

CVE-2026-24305CRITICAL9.3PL ✓ten sam produkt

Microsoft Entra ID — Elevation of Privilege (nieautoryzowane podwyższenie uprawnień)

CVE-2025-59246CRITICAL9.8PL ✓ten sam produkt

Eskalacja uprawnień w Microsoft Azure Entra ID (CVE-2025-59246)