{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26135", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2026-02-11T16:24:51.133Z", "datePublished": "2026-04-02T23:26:58.697Z", "dateUpdated": "2026-05-12T17:39:57.447Z"}, "containers": {"cna": {"title": "Azure Custom Locations Resource Provider (RP) Elevation of Privilege Vulnerability", "datePublic": "2026-04-02T14:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:azure_custom_locations_resource_provider:*:*:*:*:*:*:*:*", "versionStartIncluding": "-"}]}]}], "affected": [{"vendor": "Microsoft", "product": "Azure Custom Locations Resource Provider", "versions": [{"version": "-", "status": "affected"}]}], "descriptions": [{"value": "Server-side request forgery (ssrf) in Azure Custom Locations Resource Provider (RP) allows an authorized attacker to elevate privileges over a network.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-918: Server-Side Request Forgery (SSRF)", "lang": "en-US", "type": "CWE", "cweId": "CWE-918"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-05-12T17:39:57.447Z"}, "references": [{"name": "Azure Custom Locations Resource Provider (RP) Elevation of Privilege Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26135"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "CRITICAL", "baseScore": 9.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N/E:U/RL:O/RC:C"}}], "tags": ["exclusively-hosted-service"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-26135"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-04T03:55:36.366Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26135", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-03T12:53:33.327240Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T12:53:36.158Z"}}], "cna": {"tags": ["exclusively-hosted-service"], "title": "Azure Custom Locations Resource Provider (RP) Elevation of Privilege Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 9.6, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N/E:U/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": "Azure Custom Locations Resource Provider", "versions": [{"status": "affected", "version": "-"}]}], "datePublic": "2026-04-02T14:00:00.000Z", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26135", "name": "Azure Custom Locations Resource Provider (RP) Elevation of Privilege Vulnerability", "tags": ["vendor-advisory", "patch"]}], "descriptions": [{"lang": "en-US", "value": "Server-side request forgery (ssrf) in Azure Custom Locations Resource Provider (RP) allows an authorized attacker to elevate privileges over a network."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:azure_custom_locations_resource_provider:*:*:*:*:*:*:*:*", "vulnerable": true, "versionStartIncluding": "-"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-05-12T17:39:57.447Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26135", "state": "PUBLISHED", "dateUpdated": "2026-05-12T17:39:57.447Z", "dateReserved": "2026-02-11T16:24:51.133Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2026-04-02T23:26:58.697Z", "assignerShortName": "microsoft"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:azure_custom_locations_resource_provider:-:*:*:*:*:*:*:*", "matchCriteriaId": "D798F297-6C6B-4307-9E29-45C9788632D1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "secure@microsoft.com", "tags": ["exclusively-hosted-service"]}], "descriptions": [{"lang": "en", "value": "Server-side request forgery (ssrf) in Azure Custom Locations Resource Provider (RP) allows an authorized attacker to elevate privileges over a network."}], "id": "CVE-2026-26135", "lastModified": "2026-04-06T17:51:15.783", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 5.8, "source": "secure@microsoft.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-03T00:16:04.353", "references": [{"source": "secure@microsoft.com", "tags": ["Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26135"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "secure@microsoft.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "inferred", "scores": [{"score": 100.0, "source": "inferred"}]}, "product": "azure_custom_locations_resource_provider", "vendor": "microsoft"}], "analysis": {"en": {"generated_at": "2026-04-06T21:51:49.662570+00:00", "value": {"mitigation_remediation": ["Apply the latest Microsoft security update for the Azure Custom Locations Resource Provider via the Microsoft Security Response Center", "Restrict the provider\u2019s outbound network calls using Azure Network Security Groups or Azure Firewall rules to prevent access to untrusted destinations", "If a patch is not yet available, remove or disable the Custom Locations Resource Provider from subscriptions that do not require it", "Enable Azure Activity Log alerts for Custom Locations operations and monitor for anomalous request patterns", "Ensure that only trusted, principle\u2011of\u2011least\u2011privilege users have permissions to manage the Custom Locations Resource Provider"], "summary": {"action": "Apply Patch", "impact": "Elevation of Privilege"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Microsoft Azure Custom Locations Resource Provider. No affected\u2010version data is available in the CVE payload, so administrators should assume that any deployment of the provider may be vulnerable until Microsoft releases a patch. Future updates from Microsoft will specify the fixed versions.", "description_and_impact": "A server\u2010side request forgery flaw exists in the Azure Custom Locations Resource Provider that can be abused by an authorized user. By causing the provider to access arbitrary URLs, an attacker can obtain unauthorized access or modify resources, effectively elevating their permissions within the Azure environment. The weakness is classified as CWE\u2011918 and results in unauthorized privilege escalation.", "risk_and_exploitability": "The CVSS score of 9.6 signals critical severity, yet the EPSS score of less than 1\u202f% indicates that real\u2011world exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a user with legitimate access to the provider\u2019s operations and the ability to influence its outbound network requests. Successful exploitation could allow the attacker to gain broader privileges within the associated Azure subscription or compromise other resources reachable from the network."}}}}, "created": "2026-04-03T08:57:52.754477+00:00", "updated": "2026-04-07T07:55:19.090152+00:00", "vendors": ["microsoft", "microsoft$PRODUCT$azure_custom_locations_resource_provider"]}