{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21229", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2025-12-11T21:02:05.734Z", "datePublished": "2026-02-10T17:51:25.595Z", "dateUpdated": "2026-05-11T21:25:23.894Z"}, "containers": {"cna": {"title": "Power BI Remote Code Execution Vulnerability", "datePublic": "2026-02-10T16:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:power_bi_report_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.6.0", "versionEndExcluding": "15.0.1120.113"}]}]}], "affected": [{"vendor": "Microsoft", "product": "Power BI Report Server", "versions": [{"version": "1.6.0", "lessThan": "15.0.1120.113", "versionType": "custom", "status": "affected"}]}], "descriptions": [{"value": "Improper input validation in Power BI allows an authorized attacker to execute code over a network.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-20: Improper Input Validation", "lang": "en-US", "type": "CWE", "cweId": "CWE-20"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-05-11T21:25:23.894Z"}, "references": [{"name": "Power BI Remote Code Execution Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21229"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "HIGH", "baseScore": 8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21229", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-11T04:55:56.139298Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T14:44:47.485Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21229", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-11T04:55:56.139298Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T15:43:18.625Z"}}], "cna": {"title": "Power BI Remote Code Execution Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": "Power BI Report Server", "versions": [{"status": "affected", "version": "1.6.0", "lessThan": "15.0.1120.113", "versionType": "custom"}]}], "datePublic": "2026-02-10T16:00:00.000Z", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21229", "name": "Power BI Remote Code Execution Vulnerability", "tags": ["vendor-advisory", "patch"]}], "descriptions": [{"lang": "en-US", "value": "Improper input validation in Power BI allows an authorized attacker to execute code over a network."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:power_bi_report_server:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "15.0.1120.113", "versionStartIncluding": "1.6.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-05-11T21:25:23.894Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21229", "state": "PUBLISHED", "dateUpdated": "2026-05-11T21:25:23.894Z", "dateReserved": "2025-12-11T21:02:05.734Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2026-02-10T17:51:25.595Z", "assignerShortName": "microsoft"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:power_bi_report_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "F720CB52-BD7A-4695-AFD2-84FD4CB9AE32", "versionEndExcluding": "15.0.1120.113", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper input validation in Power BI allows an authorized attacker to execute code over a network."}], "id": "CVE-2026-21229", "lastModified": "2026-02-11T21:15:13.490", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.9, "source": "secure@microsoft.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-10T18:16:23.453", "references": [{"source": "secure@microsoft.com", "tags": ["Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21229"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "secure@microsoft.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[1.6.0,15.0.1120.113)"}}], "product": "power_bi_report_server", "vendor": "microsoft"}], "analysis": {"en": {"generated_at": "2026-04-16T01:02:41.127679+00:00", "value": {"mitigation_remediation": ["Apply the Microsoft security update for Power\u202fBI Report Server that addresses CVE\u20112026\u201121229.", "Restrict network access to the Power\u202fBI service to trusted networks or use VPN tunnels so that only authorized users can reach it.", "Enforce least\u2011privilege on Power\u202fBI accounts and regularly review permissions to ensure only users who require access can upload or manage reports.", "Monitor logs for suspicious activity, such as unexpected report uploads or executions."], "summary": {"action": "Apply Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Microsoft Power\u202fBI Report Server. The advisory does not list specific affected versions, suggesting that all releases that process request payloads in the described manner may be vulnerable. Organizations should assume all Power\u202fBI Report Server deployments are potentially affected until a vendor patch has been applied.", "description_and_impact": "Improper input validation in Microsoft Power\u202fBI Report Server allows an authenticated attacker with necessary permissions to execute arbitrary code on the server. Based on the description, it is inferred that the attacker must be authenticated and possess necessary permissions. The flaw is a classic input validation weakness mapped to CWE\u201120. By sending specially crafted requests that the service interprets as executable commands, an attacker can gain full control of the Power\u202fBI instance, compromising confidentiality, integrity, and availability.", "risk_and_exploitability": "The flaw received a CVSS score of 8, indicating high severity. The EPSS score is less than 1\u202f%, implying that widespread exploitation activity is currently low. The vulnerability is not listed in the CISA KEV catalogue. Exploitation requires an authenticated session with sufficient privileges; based on the description, it is inferred that the attacker must have legitimate credentials, thus the threat surface is limited to insiders or attackers who have compromised legitimate credentials. Due to the high severity, operators should prioritize remediation once the patch is available."}}}}, "created": "2026-02-10T21:33:46.692952+00:00", "updated": "2026-04-16T01:15:20.519679+00:00", "vendors": ["microsoft", "microsoft$PRODUCT$power_bi_report_server"]}