Description
Deserialization of untrusted data in Azure SDK allows an unauthorized attacker to execute code over a network.
Published: 2026-02-10
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Now
AI Analysis

Impact

Untrusted data deserialization in the Azure SDK for Python creates a remote code execution vulnerability that allows an off‑network attacker to run arbitrary code on any host processing the data. The flaw is classed as CWE‑502 and carries a very high severity indicated by a CVSS score of 9.8, reflecting both the ability to compromise confidentiality, integrity, and availability of the affected system.

Affected Systems

Microsoft Azure AI Language Authoring and Azure Conversation Authoring Client Library for Python (v1.0.0 beta1, beta2, and beta3) are affected. Applications that import these libraries and process data from untrusted sources are at risk.

Risk and Exploitability

The CVSS score of 9.8 signals a critical risk, while the EPSS score of < 1 % indicates that, although the likelihood of exploitation in the current population is low, the vulnerability remains dangerous. The attack vector is inferred to be remote over the network, whereby the attacker sends crafted data to the SDK, triggering code execution. The vulnerability is not listed in the CISA KEV catalog, but the impact of successful exploitation would be complete compromise of any host running the vulnerable SDK.

Generated by OpenCVE AI on April 15, 2026 at 16:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade all Azure SDK for Python dependencies to the latest patched release as soon as available.
  • Apply network segmentation so that only trusted services or internal endpoints can communicate with the Azure SDK components.
  • Ensure that all data deserialized by the SDK originates from trusted, validated sources; enforce strict input validation before processing.

Generated by OpenCVE AI on April 15, 2026 at 16:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-436v-jg82-p533 Azure AI Language Authoring Elevation of Privilege Vulnerability can Lead to RCE
History

Thu, 26 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 12 Feb 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft azure Conversation Authoring Client Library
CPEs cpe:2.3:a:microsoft:azure_conversation_authoring_client_library:1.0.0:beta1:*:*:*:python:*:*
cpe:2.3:a:microsoft:azure_conversation_authoring_client_library:1.0.0:beta2:*:*:*:python:*:*
cpe:2.3:a:microsoft:azure_conversation_authoring_client_library:1.0.0:beta3:*:*:*:python:*:*
Vendors & Products Microsoft azure Conversation Authoring Client Library

Tue, 10 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Description Deserialization of untrusted data in Azure SDK allows an unauthorized attacker to execute code over a network.
Title Azure SDK for Python Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft azure Ai Language Authoring
Weaknesses CWE-502
CPEs cpe:2.3:a:microsoft:azure_ai_language_authoring:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft azure Ai Language Authoring
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Azure Ai Language Authoring Azure Conversation Authoring Client Library
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-10T13:21:18.982Z

Reserved: 2025-12-30T18:10:54.847Z

Link: CVE-2026-21531

cve-icon Vulnrichment

Updated: 2026-02-25T15:43:12.708Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T18:16:35.580

Modified: 2026-02-12T15:49:25.373

Link: CVE-2026-21531

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T17:45:10Z

Weaknesses