Entra ID SSRF allows spoofing (CVE-2026-35431)

Patch now - CVE-2026-35431 is a critical server-side request forgery (SSRF) in Microsoft Entra ID Entitlement Management that lets unauthenticated attackers spoof network identities and access internal resources. Apply Microsoft’s security patch immediately, as no workarounds exist.

Overview

CVE-2026-35431 is a critical server-side request forgery (SSRF) vulnerability in Microsoft Entra ID Entitlement Management that allows an unauthenticated attacker to perform network-level spoofing. With a CVSS score of 10.0, this is the maximum severity rating, reflecting the combination of network-based attack vector, low complexity, and no required privileges or user interaction.

Technical Details

The vulnerability exists in how Entra ID Entitlement Management handles outbound network requests. An attacker can craft requests that cause the service to make unauthorized requests to internal or external systems. By exploiting this SSRF, the attacker can impersonate legitimate network resources or services, enabling spoofing attacks against other systems connected to the affected Entra ID environment.

Key characteristics:

• Attack Vector: NETWORK (remotely exploitable)
• Attack Complexity: LOW (no special conditions required)
• Privileges Required: NONE (no authentication needed)
• User Interaction: NONE (no victim action required)

Impact

Successful exploitation could allow an unauthorized attacker to:

• Spoof network identities and services
• Access internal resources that should be isolated
• Potentially pivot to other systems within the network

The CVSS 10.0 score indicates this is as severe as a vulnerability can be rated. While not currently confirmed as actively exploited, the lack of required authentication and user interaction means automated attacks are feasible.

Affected Versions

This vulnerability affects Microsoft Entra ID Entitlement Management components. Organizations using Entra ID (formerly Azure Active Directory) with entitlement management features should verify their deployment status.

Remediation

Microsoft has released security updates addressing this vulnerability. Apply patches immediately:

1. Install the latest Entra ID update from the Microsoft Security Response Center
2. Verify update deployment across all affected tenants
3. Review network logs for signs of suspicious outbound requests

No workarounds are currently available; patching is the only complete mitigation.

Security Insight

This vulnerability reveals a dangerous pattern in identity management platforms: SSRF flaws in systems that handle authentication and authorization can undermine the entire trust model of an organization’s identity infrastructure. As cloud identity providers become more feature-rich with entitlement management, access reviews, and automated provisioning, the attack surface expands. Microsoft must treat these components with the same security rigor as core authentication services, because a flaw in entitlement management can enable spoofing that bypasses all downstream security controls.

Related reading: Recent attacks show how identity infrastructure vulnerabilities are being exploited - see APT28 DNS Hijacking targeting Microsoft 365 credentials and China-linked Storm-1175 using zero-days to deploy Medusa ransomware. Our weekly threat roundup covers these and other developments.

Further Reading

• Weekly Threat Roundup: APT28 DNS Hijacking (Apr 6-12
• APT28 Hijacks SOHO Routers - Microsoft 365 Credentials
• Storm-1175 Exploits Zero-Days to Deploy Medusa
• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs