Origin validation error in Microsoft Entra ID allows an unauthorized attacker to elevate privileges over a network.
The vulnerability results from a request origin validation error (CWE-346 — Origin Validation Error), meaning that Microsoft Entra ID incorrectly verifies the source of a network request. An attacker can send crafted requests that are treated as originating from a trusted source. This makes it possible to bypass access control mechanisms and obtain elevated privileges without possessing any credentials.
An unauthenticated attacker can obtain elevated privileges in the Microsoft Entra ID environment, potentially leading to full takeover of identities, resources, and service configuration beyond the original attack context (scope changed).
Patches available from the vendor should be applied according to the references: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42901
Microsoft Entra ID — versions specified in the vendor's references
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HMicrosoft Entra Id
APPMicrosoftwszystkie wersje
Related vulnerabilities
Obejście uwierzytelnienia w Microsoft Azure Active Directory B2C
Ujawnienie wrażliwych danych w Azure Entra ID umożliwiające spoofing
SSRF w Microsoft Entra ID Entitlement Management umożliwia spoofing
Microsoft Entra ID — Elevation of Privilege (nieautoryzowane podwyższenie uprawnień)
Eskalacja uprawnień w Microsoft Azure Entra ID (CVE-2025-59246)