Microsoft Purview SSRF elevates privileges (CVE-2026-26150)

Vendor-confirmed - CVE-2026-26150 is a high SSRF in Microsoft Purview prior to the April 2026 security update that grants unauthenticated attackers access to internal network resources and privilege elevation with minimal complexity.

Overview

Unauthenticated attackers can exploit a server-side request forgery (SSRF) vulnerability in Microsoft Purview to elevate privileges over the network, with no user interaction required. This flaw, tracked as CVE-2026-26150, carries a CVSS score of 8.6 (HIGH) due to its low attack complexity and the absence of authentication requirements.

Vulnerability Details

The vulnerability exists in how Microsoft Purview handles incoming network requests. By sending specially crafted requests to the Purview service, an unauthenticated attacker can trick the server into making requests to internal resources that should be restricted. This SSRF condition enables the attacker to interact with internal services, potentially accessing sensitive data or performing actions that require elevated privileges.

Impact

An attacker who successfully exploits CVE-2026-26150 can:

• Access internal network resources that are normally unreachable from the internet
• Potentially read sensitive configuration files or credentials from internal systems
• Elevate their privileges within the Microsoft Purview environment
• Use the compromised service to pivot to other internal systems

The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms this is a network-accessible vulnerability requiring no special access conditions, making it attractive to opportunistic attackers.

Affected Systems

Microsoft Purview deployments using versions prior to the security update released for this CVE are affected. Organizations using Microsoft Purview for data governance and compliance should verify their installation version against Microsoft’s advisory.

Remediation

The immediate and recommended action is to apply Microsoft’s security update for this vulnerability. There are no known workarounds that fully address the SSRF risk.

1. Review the Microsoft Security Response Center advisory for CVE-2026-26150
2. Deploy the update to all Microsoft Purview instances
3. Monitor network logs for unusual outbound requests from Purview services, which may indicate exploitation attempts

Security Insight

This SSRF in Microsoft Purview follows a pattern seen in other cloud-based data governance platforms where internal API calls are insufficiently validated. Organizations should treat SSRF vulnerabilities in SaaS services seriously because they bypass the perimeter security model entirely. The lack of required authentication for this flaw is particularly concerning, as it mirrors the attack profile seen in recent campaigns targeting cloud infrastructure.

For related threat intelligence, review our coverage of APT28 DNS hijacking tactics and campaigns using SOHO router compromises to understand how SSRF vulnerabilities fit into broader adversary operations.

Further Reading

• Weekly Threat Roundup: APT28 DNS Hijacking (Apr 6-12
• APT28 Hijacks SOHO Routers - Microsoft 365 Credentials
• Storm-1175 Exploits Zero-Days to Deploy Medusa
• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs