{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24305", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2026-01-21T21:28:02.969Z", "datePublished": "2026-01-22T22:47:36.181Z", "dateUpdated": "2026-04-01T13:49:25.092Z"}, "containers": {"cna": {"title": "Azure Entra ID Elevation of Privilege Vulnerability", "datePublic": "2026-01-22T16:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:microsoft_entra_id:*:*:*:*:*:*:*:*", "versionStartIncluding": "-"}]}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft Entra", "versions": [{"version": "-", "status": "affected"}]}], "descriptions": [{"value": "Azure Entra ID Elevation of Privilege Vulnerability", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-285: Improper Authorization", "lang": "en-US", "type": "CWE", "cweId": "CWE-285"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-04-01T13:49:25.092Z"}, "references": [{"name": "Azure Entra ID Elevation of Privilege Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-24305"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "CRITICAL", "baseScore": 9.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N/E:U/RL:O/RC:C"}}], "tags": ["exclusively-hosted-service"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24305", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-24T04:55:14.567230Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T14:44:29.923Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24305", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-24T04:55:14.567230Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-23T13:27:29.637Z"}}], "cna": {"tags": ["exclusively-hosted-service"], "title": "Azure Entra ID Elevation of Privilege Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 9.3, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N/E:U/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft Entra", "versions": [{"status": "affected", "version": "-"}]}], "datePublic": "2026-01-22T16:00:00.000Z", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-24305", "name": "Azure Entra ID Elevation of Privilege Vulnerability", "tags": ["vendor-advisory", "patch"]}], "descriptions": [{"lang": "en-US", "value": "Azure Entra ID Elevation of Privilege Vulnerability"}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-285", "description": "CWE-285: Improper Authorization"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:microsoft_entra_id:*:*:*:*:*:*:*:*", "vulnerable": true, "versionStartIncluding": "-"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-04-01T13:49:25.092Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24305", "state": "PUBLISHED", "dateUpdated": "2026-04-01T13:49:25.092Z", "dateReserved": "2026-01-21T21:28:02.969Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2026-01-22T22:47:36.181Z", "assignerShortName": "microsoft"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:entra_id:-:*:*:*:*:*:*:*", "matchCriteriaId": "D09E509F-AFF3-4991-877A-D197388E7AD4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "secure@microsoft.com", "tags": ["exclusively-hosted-service"]}], "descriptions": [{"lang": "en", "value": "Azure Entra ID Elevation of Privilege Vulnerability"}], "id": "CVE-2026-24305", "lastModified": "2026-02-03T12:46:12.437", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.7, "source": "secure@microsoft.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-22T23:15:58.667", "references": [{"source": "secure@microsoft.com", "tags": ["Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-24305"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}], "source": "secure@microsoft.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T07:37:19.879848+00:00", "value": {"mitigation_remediation": ["Install the vendor\u2011supplied patch or update for Microsoft Entra ID provided by Microsoft\u2019s security update guide.", "Reconfigure role\u2011based access controls to ensure users possess only the minimum permissions needed for their functions, consistent with the CWE\u2011285 guidance on proper authorization controls.", "Enable and review audit logs for privileged actions in Entra ID to detect any unauthorized elevation attempts."], "summary": {"action": "Apply Patch", "impact": "Elevation of Privilege"}, "threat_synthesis": {"affected_systems": "Microsoft Entra ID is the affected product. No specific version ranges are listed in the CNA data; all deployments may need to verify against Microsoft\u2019s update guide.", "description_and_impact": "The CVE identifies an access\u2011control flaw in Microsoft Entra ID that could allow an attacker to obtain privileges beyond those they should have. The brief description states that unauthorized elevation is possible. Based on the CWE\u2011285 labeling, it is inferred that the flaw could be exploited to perform actions that an authenticated user should not be able to carry out, potentially compromising confidentiality, integrity, or availability of the service.", "risk_and_exploitability": "The CVSS score of 9.3 signals a high severity for remote exploitation, but EPSS indicates a very low probability of enterprise exploitation (<1%). The vulnerability is not currently listed in the CISA KEV catalog. It is inferred that the attack vector could be remote, but the CVE does not specify required conditions; the high score suggests that if exploited, the impact would be significant. Overall risk is tempered by the low EPSS but remains high per the severity metric."}}}}, "created": "2026-04-16T07:45:06.016298+00:00", "updated": "2026-04-16T07:45:06.016308+00:00", "vendors": []}