{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21531", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2025-12-30T18:10:54.847Z", "datePublished": "2026-02-10T17:51:31.660Z", "dateUpdated": "2026-05-11T21:25:32.778Z"}, "containers": {"cna": {"title": "Azure SDK for Python Remote Code Execution Vulnerability", "datePublic": "2026-02-10T16:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:azure_ai_language_authoring:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.0.0", "versionEndExcluding": "1.0.0b4"}]}]}], "affected": [{"vendor": "Microsoft", "product": "Azure AI Language Authoring", "versions": [{"version": "1.0.0", "lessThan": "1.0.0b4", "versionType": "custom", "status": "affected"}]}], "descriptions": [{"value": "Deserialization of untrusted data in Azure SDK allows an unauthorized attacker to execute code over a network.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-502: Deserialization of Untrusted Data", "lang": "en-US", "type": "CWE", "cweId": "CWE-502"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-05-11T21:25:32.778Z"}, "references": [{"name": "Azure SDK for Python Remote Code Execution Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21531"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "CRITICAL", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21531", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-11T04:56:07.295834Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T14:44:46.198Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21531", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-11T04:56:07.295834Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T15:43:12.708Z"}}], "cna": {"title": "Azure SDK for Python Remote Code Execution Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": "Azure AI Language Authoring", "versions": [{"status": "affected", "version": "1.0.0", "lessThan": "1.0.0b4", "versionType": "custom"}]}], "datePublic": "2026-02-10T16:00:00.000Z", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21531", "name": "Azure SDK for Python Remote Code Execution Vulnerability", "tags": ["vendor-advisory", "patch"]}], "descriptions": [{"lang": "en-US", "value": "Deserialization of untrusted data in Azure SDK allows an unauthorized attacker to execute code over a network."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502: Deserialization of Untrusted Data"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:azure_ai_language_authoring:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "1.0.0b4", "versionStartIncluding": "1.0.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-05-11T18:10:11.420Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21531", "state": "PUBLISHED", "dateUpdated": "2026-05-11T18:10:11.420Z", "dateReserved": "2025-12-30T18:10:54.847Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2026-02-10T17:51:31.660Z", "assignerShortName": "microsoft"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:azure_conversation_authoring_client_library:1.0.0:beta1:*:*:*:python:*:*", "matchCriteriaId": "5F0D2A31-6685-4968-B9BD-8538BD0CD134", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:azure_conversation_authoring_client_library:1.0.0:beta2:*:*:*:python:*:*", "matchCriteriaId": "6083B261-3037-4BFB-ACC5-B8945AE1046F", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:azure_conversation_authoring_client_library:1.0.0:beta3:*:*:*:python:*:*", "matchCriteriaId": "CF3829C8-635B-4E0B-9C39-9FEA1A595C57", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of untrusted data in Azure SDK allows an unauthorized attacker to execute code over a network."}], "id": "CVE-2026-21531", "lastModified": "2026-02-12T15:49:25.373", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "secure@microsoft.com", "type": "Primary"}]}, "published": "2026-02-10T18:16:35.580", "references": [{"source": "secure@microsoft.com", "tags": ["Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21531"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "secure@microsoft.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[1.0.0,1.0.0b4)"}}], "product": "azure_ai_language_authoring", "vendor": "microsoft"}], "analysis": {"en": {"generated_at": "2026-04-15T16:28:52.537220+00:00", "value": {"mitigation_remediation": ["Upgrade all Azure SDK for Python dependencies to the latest patched release as soon as available.", "Apply network segmentation so that only trusted services or internal endpoints can communicate with the Azure SDK components.", "Ensure that all data deserialized by the SDK originates from trusted, validated sources; enforce strict input validation before processing."], "summary": {"action": "Patch Now", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Microsoft Azure AI Language Authoring and Azure Conversation Authoring Client Library for Python (v1.0.0 beta1, beta2, and beta3) are affected. Applications that import these libraries and process data from untrusted sources are at risk.", "description_and_impact": "Untrusted data deserialization in the Azure SDK for Python creates a remote code execution vulnerability that allows an off\u2011network attacker to run arbitrary code on any host processing the data. The flaw is classed as CWE\u2011502 and carries a very high severity indicated by a CVSS score of 9.8, reflecting both the ability to compromise confidentiality, integrity, and availability of the affected system.", "risk_and_exploitability": "The CVSS score of 9.8 signals a critical risk, while the EPSS score of <\u202f1\u202f% indicates that, although the likelihood of exploitation in the current population is low, the vulnerability remains dangerous. The attack vector is inferred to be remote over the network, whereby the attacker sends crafted data to the SDK, triggering code execution. The vulnerability is not listed in the CISA KEV catalog, but the impact of successful exploitation would be complete compromise of any host running the vulnerable SDK."}}}}, "created": "2026-02-10T21:33:45.918181+00:00", "updated": "2026-04-15T17:45:10.821159+00:00", "vendors": ["microsoft", "microsoft$PRODUCT$azure_ai_language_authoring"]}