Description
Exposure of sensitive information to an unauthorized actor in Azure Data Factory allows an unauthorized attacker to disclose information over a network.
Published: 2026-03-19
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch Now
AI Analysis

Impact

The vulnerability in Azure Data Factory permits an unauthorized actor to expose sensitive information over a network connection, compromising data confidentiality. It is classified as a CWE‑200 flaw in which information may be disclosed to unintended recipients.

Affected Systems

Microsoft Azure Data Factory is affected. No specific version numbers are listed in the public data, so all current deployments should be assessed.

Risk and Exploitability

The CVSS score of 8.6 indicates high severity, but EPSS of less than 1% shows low likelihood of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Likely exploitation would occur via a remote network attack against the data factory interfaces, typically requiring authenticated or anonymous access to the service's API endpoints.

Generated by OpenCVE AI on April 2, 2026 at 03:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any Microsoft security update for Azure Data Factory that addresses CVE‑2026‑23659 immediately.
  • Restrict network connectivity to the Data Factory service by limiting requests to trusted IP ranges or enforcing Azure AD authentication.
  • Review and tighten RBAC permissions on all datasets and pipelines to ensure least‑privilege access.
  • Monitor activity logs for anomalous data access or export patterns that could indicate exploitation.

Generated by OpenCVE AI on April 2, 2026 at 03:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:microsoft:azure_data_factory:-:*:*:*:*:*:*:*

Fri, 20 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Description Exposure of sensitive information to an unauthorized actor in Azure Data Factory allows an unauthorized attacker to disclose information over a network.
Title Azure Data Factory Information Disclosure Vulnerability
First Time appeared Microsoft
Microsoft azure Data Factory
Weaknesses CWE-200
CPEs cpe:2.3:a:microsoft:azure_data_factory:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft azure Data Factory
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Azure Data Factory
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-09T23:25:59.643Z

Reserved: 2026-01-14T16:59:33.463Z

Link: CVE-2026-23659

cve-icon Vulnrichment

Updated: 2026-03-20T15:17:48.521Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T21:16:55.830

Modified: 2026-04-01T15:13:35.350

Link: CVE-2026-23659

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:59:44Z

Weaknesses