Description
Deserialization of untrusted data in Azure Core shared client library for Python allows an authorized attacker to execute code over a network.
Published: 2026-01-13
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Based on the description, it is inferred that the vulnerability arises when the library deserializes untrusted data, which allows an attacker with authorized network access to craft a malicious payload that the library processes, leading to arbitrary code execution on the host where the library runs. This weakness is classified as CWE-502, indicating that untrusted input is processed without adequate validation.

Affected Systems

Based on the vendor and product listing, it is inferred that all installations matching the generic package name azure_core_shared_client_library or the Python‑specific distribution azure_core_shared_client_library_for_python are potentially vulnerable. The Azure Core shared client library for Python, as identified under Microsoft’s product records, is affected. Specific affected revisions are not listed in the record, so users should verify the library version in use and consider upgrading.

Risk and Exploitability

Based on the description, it is inferred that the likelihood of exploitation requires an attacker with authorized access to network traffic that can deliver a crafted payload to the library. The CVSS score of 7.5 marks this as a high‑severity issue, while the EPSS score of 1% indicates a modest likelihood of exploitation at this time. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires authorized network access and does not facilitate unauthenticated or remote code execution without some level of network connectivity to the target service.

Generated by OpenCVE AI on June 11, 2026 at 20:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply Microsoft’s patch by upgrading the Azure Core shared client library for Python to the latest stable release.
  • Remove or replace any legacy modules or custom wrappers that depend on older vulnerable versions of the library.
  • Enforce strict input validation and restrict deserialization to trusted data only; avoid passing externally supplied data to the library.
  • As a general best practice, review application code to ensure no untrusted serialized payloads reach this library, and consider isolating affected components behind network segmentation to limit exposure.

Generated by OpenCVE AI on June 11, 2026 at 20:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jm66-cg57-jjv5 Azure Core is vulnerable to deserialization of untrusted data
History

Thu, 05 Feb 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft azure Core Shared Client Library
CPEs cpe:2.3:a:microsoft:azure_sdk_for_python:*:*:*:*:*:*:*:* cpe:2.3:a:microsoft:azure_core_shared_client_library:*:*:*:*:*:python:*:*
Vendors & Products Microsoft azure Sdk For Python
Microsoft azure Core Shared Client Library

Tue, 20 Jan 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft azure Sdk For Python
CPEs cpe:2.3:a:microsoft:azure_sdk_for_python:*:*:*:*:*:*:*:*
Vendors & Products Microsoft azure Sdk For Python

Tue, 13 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 13 Jan 2026 18:30:00 +0000

Type Values Removed Values Added
Description Deserialization of untrusted data in Azure Core shared client library for Python allows an authorized attacker to execute code over a network.
Title Azure Core shared client library for Python Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft azure Core Shared Client Library For Python
Weaknesses CWE-502
CPEs cpe:2.3:a:microsoft:azure_core_shared_client_library_for_python:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft azure Core Shared Client Library For Python
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}


Subscriptions

Microsoft Azure Core Shared Client Library Azure Core Shared Client Library For Python
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-01T13:49:21.414Z

Reserved: 2025-12-11T21:02:05.732Z

Link: CVE-2026-21226

cve-icon Vulnrichment

Updated: 2026-01-13T18:28:29.233Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-13T19:16:23.987

Modified: 2026-06-17T10:18:18.667

Link: CVE-2026-21226

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T21:00:07Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data