Description
Improper input validation in Power BI allows an authorized attacker to execute code over a network.
Published: 2026-02-10
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

Improper input validation in Microsoft Power BI Report Server allows an authenticated attacker with necessary permissions to execute arbitrary code on the server. Based on the description, it is inferred that the attacker must be authenticated and possess necessary permissions. The flaw is a classic input validation weakness mapped to CWE‑20. By sending specially crafted requests that the service interprets as executable commands, an attacker can gain full control of the Power BI instance, compromising confidentiality, integrity, and availability.

Affected Systems

The vulnerability affects Microsoft Power BI Report Server. The advisory does not list specific affected versions, suggesting that all releases that process request payloads in the described manner may be vulnerable. Organizations should assume all Power BI Report Server deployments are potentially affected until a vendor patch has been applied.

Risk and Exploitability

The flaw received a CVSS score of 8, indicating high severity. The EPSS score is less than 1 %, implying that widespread exploitation activity is currently low. The vulnerability is not listed in the CISA KEV catalogue. Exploitation requires an authenticated session with sufficient privileges; based on the description, it is inferred that the attacker must have legitimate credentials, thus the threat surface is limited to insiders or attackers who have compromised legitimate credentials. Due to the high severity, operators should prioritize remediation once the patch is available.

Generated by OpenCVE AI on April 16, 2026 at 01:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Microsoft security update for Power BI Report Server that addresses CVE‑2026‑21229.
  • Restrict network access to the Power BI service to trusted networks or use VPN tunnels so that only authorized users can reach it.
  • Enforce least‑privilege on Power BI accounts and regularly review permissions to ensure only users who require access can upload or manage reports.
  • Monitor logs for suspicious activity, such as unexpected report uploads or executions.

Generated by OpenCVE AI on April 16, 2026 at 01:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Description Improper input validation in Power BI allows an authorized attacker to execute code over a network.
Title Power BI Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft power Bi Report Server
Weaknesses CWE-20
CPEs cpe:2.3:a:microsoft:power_bi_report_server:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft power Bi Report Server
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Power Bi Report Server
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-10T13:21:12.763Z

Reserved: 2025-12-11T21:02:05.734Z

Link: CVE-2026-21229

cve-icon Vulnrichment

Updated: 2026-02-25T15:43:18.625Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T18:16:23.453

Modified: 2026-02-11T21:15:13.490

Link: CVE-2026-21229

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T01:15:20Z

Weaknesses