CVE-2026-21226 - Vulnerability Details

- Azure Core shared client library for Python Remote Code Execution Vulnerability

Description

Deserialization of untrusted data in Azure Core shared client library for Python allows an authorized attacker to execute code over a network.

Published: 2026-01-13

Score: 7.5 High

EPSS: 1.7% Low

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability arises from the deserialization of untrusted data in Microsoft’s Azure Core shared client library for Python. An attacker who has authorized network access can craft a malicious payload that the library deserializes, leading to the execution of arbitrary code on the host where the library runs. The weakness is classified as CWE-502, indicating that untrusted input is processed without adequate validation.

Affected Systems

The Azure Core shared client library for Python, as identified under Microsoft’s product records, is affected. All installations matching the generic package name azure_core_shared_client_library or the Python‑specific distribution azure_core_shared_client_library_for_python are potentially vulnerable; specific affected revisions are not listed in the record, so users should verify the library version in use and consider upgrading.

Risk and Exploitability

The CVSS score of 7.5 marks this as a high‑severity issue, while the EPSS score of 2% indicates a modest likelihood of exploitation at this time. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires an attacker with authorized access to network traffic that can deliver the crafted payload to the library; it does not facilitate unauthenticated or remote code execution without some level of network connectivity to the target service.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Microsoft

Azure Core shared client library for Python

affected

Version	Status	Constraints
`1.1.0`	affected	< 1.38.0

Configuration 1 [-]

cpe:2.3:a:microsoft:azure_core_shared_client_library:*:*:*:*:*:python:*:*

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply Microsoft’s patch by upgrading the Azure Core shared client library for Python to the latest stable release.
Remove or replace any legacy modules or custom wrappers that depend on older vulnerable versions of the library.
Enforce strict input validation and restrict deserialization to trusted data only; avoid passing externally supplied data to the library.
As a general best practice, review application code to ensure no untrusted serialized payloads reach this library, and consider isolating affected components behind network segmentation to limit exposure.

Generated by OpenCVE AI on April 16, 2026 at 18:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-jm66-cg57-jjv5	Azure Core is vulnerable to deserialization of untrusted data

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.01699.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21226

History

Thu, 05 Feb 2026 18:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Microsoft azure Core Shared Client Library
CPEs	cpe:2.3:a:microsoft:azure_sdk_for_python::::::::	cpe:2.3:a:microsoft:azure_core_shared_client_library::::::python::*
Vendors & Products	Microsoft azure Sdk For Python	Microsoft azure Core Shared Client Library

Tue, 20 Jan 2026 18:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Microsoft azure Sdk For Python
CPEs		cpe:2.3:a:microsoft:azure_sdk_for_python::::::::
Vendors & Products		Microsoft azure Sdk For Python

Tue, 13 Jan 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 13 Jan 2026 18:30:00 +0000

Type	Values Removed	Values Added
Description		Deserialization of untrusted data in Azure Core shared client library for Python allows an authorized attacker to execute code over a network.
Title		Azure Core shared client library for Python Remote Code Execution Vulnerability
First Time appeared		Microsoft Microsoft azure Core Shared Client Library For Python
Weaknesses		CWE-502
CPEs		cpe:2.3:a:microsoft:azure_core_shared_client_library_for_python::::::::
Vendors & Products		Microsoft Microsoft azure Core Shared Client Library For Python
References		https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21226
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}`

Subscriptions

Microsoft Azure Core Shared Client Library Azure Core Shared Client Library For Python

MITRE

Status: PUBLISHED

Assigner: microsoft

Published: 2026-01-13T18:04:55.084Z

Updated: 2026-04-01T13:49:21.414Z

Reserved: 2025-12-11T21:02:05.732Z

Link: CVE-2026-21226

Vulnrichment

Updated: 2026-01-13T18:28:29.233Z

NVD

Status : Analyzed

Published: 2026-01-13T19:16:23.987

Modified: 2026-02-05T17:58:29.607

Link: CVE-2026-21226

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T18:15:43Z

Weaknesses

CWE-502

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object