{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26125", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2026-02-11T15:52:13.911Z", "datePublished": "2026-03-05T22:18:21.732Z", "dateUpdated": "2026-04-14T16:36:21.324Z"}, "containers": {"cna": {"title": "Payment Orchestrator Service Elevation of Privilege Vulnerability", "datePublic": "2026-03-05T16:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:payment_orchestrator_service:*:*:*:*:*:*:*:*", "versionStartIncluding": "-"}]}]}], "affected": [{"vendor": "Microsoft", "product": "Payment Orchestrator Service", "versions": [{"version": "-", "status": "affected"}]}], "descriptions": [{"value": "Payment Orchestrator Service Elevation of Privilege Vulnerability", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-306: Missing Authentication for Critical Function", "lang": "en-US", "type": "CWE", "cweId": "CWE-306"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-04-14T16:36:21.324Z"}, "references": [{"name": "Payment Orchestrator Service Elevation of Privilege Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26125"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "HIGH", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:P/RL:O/RC:C"}}], "tags": ["exclusively-hosted-service"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T20:27:30.988353Z", "id": "CVE-2026-26125", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T20:27:39.197Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26125", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T20:27:30.988353Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T20:27:34.868Z"}}], "cna": {"tags": ["exclusively-hosted-service"], "title": "Payment Orchestrator Service Elevation of Privilege Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 8.6, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:P/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": "Payment Orchestrator Service", "versions": [{"status": "affected", "version": "-"}]}], "datePublic": "2026-03-05T16:00:00.000Z", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26125", "name": "Payment Orchestrator Service Elevation of Privilege Vulnerability", "tags": ["vendor-advisory", "patch"]}], "descriptions": [{"lang": "en-US", "value": "Payment Orchestrator Service Elevation of Privilege Vulnerability"}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306: Missing Authentication for Critical Function"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:payment_orchestrator_service:*:*:*:*:*:*:*:*", "vulnerable": true, "versionStartIncluding": "-"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-04-14T16:36:21.324Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26125", "state": "PUBLISHED", "dateUpdated": "2026-04-14T16:36:21.324Z", "dateReserved": "2026-02-11T15:52:13.911Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2026-03-05T22:18:21.732Z", "assignerShortName": "microsoft"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:payment_orchestrator_service:-:*:*:*:*:*:*:*", "matchCriteriaId": "925236E5-E4B9-41B6-BADA-AB96DFE62149", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "secure@microsoft.com", "tags": ["exclusively-hosted-service"]}], "descriptions": [{"lang": "en", "value": "Payment Orchestrator Service Elevation of Privilege Vulnerability"}, {"lang": "es", "value": "Servicio Orquestador de Pagos Elevaci\u00f3n de Privilegios Vulnerabilidad"}], "id": "CVE-2026-26125", "lastModified": "2026-03-16T15:38:45.143", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "secure@microsoft.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-05T23:16:20.160", "references": [{"source": "secure@microsoft.com", "tags": ["Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26125"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "secure@microsoft.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Payment Orchestrator Service", "source": "cna", "vendor": "Microsoft"}, "product": "payment_orchestrator_service", "vendor": "microsoft"}], "analysis": {"en": {"generated_at": "2026-04-15T15:10:31.910594+00:00", "value": {"mitigation_remediation": ["Apply the Microsoft patch for CVE\u20112026-26125 as soon as it is available", "Limit the permissions granted to the Payment Orchestrator Service account to the minimum required for operation", "Enable auditing and monitor logs for any unauthorized elevation of privilege attempts"], "summary": {"action": "Patch Immediately", "impact": "Elevation of Privilege"}, "threat_synthesis": {"affected_systems": "Microsoft Payment Orchestrator Service is impacted. No specific version information is listed in the CNA data, so all released versions may be susceptible until a patch is provided.", "description_and_impact": "The Payment Orchestrator Service contains a flaw that enables an attacker to gain higher privileges than intended. The vulnerability is classified as CWE\u2011306, indicating that authentication requirements before authorization are missing or insufficient, allowing elevation of privilege. Attackers can potentially manipulate payment functions or access sensitive data. The precise mechanism is not disclosed, but the title suggests the flaw permits bypass of security controls within the service.", "risk_and_exploitability": "The CVSS score of 8.6 classifies the issue as high severity. EPSS is reported as less than 1\u202f%, indicating a very low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. The attack vector is not specified; it is inferred the flaw may involve inadequate authentication checks within the service, possibly exploitable by local or remote actors depending on configuration."}}}}, "created": "2026-03-06T14:56:41.352053+00:00", "updated": "2026-04-15T17:00:07.047086+00:00", "vendors": ["microsoft", "microsoft$PRODUCT$payment_orchestrator_service"]}