{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23659", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2026-01-14T16:59:33.463Z", "datePublished": "2026-03-19T21:06:24.369Z", "dateUpdated": "2026-03-20T16:36:01.784Z"}, "containers": {"cna": {"title": "Azure Data Factory Information Disclosure Vulnerability", "datePublic": "2026-03-19T14:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:azure_data_factory:*:*:*:*:*:*:*:*", "versionStartIncluding": "-"}]}]}], "affected": [{"vendor": "Microsoft", "product": "Azure Data Factory", "versions": [{"version": "-", "status": "affected"}]}], "descriptions": [{"value": "Exposure of sensitive information to an unauthorized actor in Azure Data Factory allows an unauthorized attacker to disclose information over a network.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en-US", "type": "CWE", "cweId": "CWE-200"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-03-20T16:36:01.784Z"}, "references": [{"name": "Azure Data Factory Information Disclosure Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23659"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "HIGH", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C"}}], "tags": ["exclusively-hosted-service"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23659", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-20T15:16:14.747959Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T15:23:03.023Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23659", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-20T15:16:14.747959Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T15:17:48.521Z"}}], "cna": {"tags": ["exclusively-hosted-service"], "title": "Azure Data Factory Information Disclosure Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 8.6, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": "Azure Data Factory", "versions": [{"status": "affected", "version": "-"}]}], "datePublic": "2026-03-19T14:00:00.000Z", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23659", "name": "Azure Data Factory Information Disclosure Vulnerability", "tags": ["vendor-advisory", "patch"]}], "descriptions": [{"lang": "en-US", "value": "Exposure of sensitive information to an unauthorized actor in Azure Data Factory allows an unauthorized attacker to disclose information over a network."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:azure_data_factory:*:*:*:*:*:*:*:*", "vulnerable": true, "versionStartIncluding": "-"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-03-20T16:36:01.784Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23659", "state": "PUBLISHED", "dateUpdated": "2026-03-20T16:36:01.784Z", "dateReserved": "2026-01-14T16:59:33.463Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2026-03-19T21:06:24.369Z", "assignerShortName": "microsoft"}, "dataVersion": "5.2"}

{"cveTags": [{"sourceIdentifier": "secure@microsoft.com", "tags": ["exclusively-hosted-service"]}], "descriptions": [{"lang": "en", "value": "Exposure of sensitive information to an unauthorized actor in Azure Data Factory allows an unauthorized attacker to disclose information over a network."}], "id": "CVE-2026-23659", "lastModified": "2026-03-20T13:39:46.493", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "secure@microsoft.com", "type": "Primary"}]}, "published": "2026-03-19T21:16:55.830", "references": [{"source": "secure@microsoft.com", "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23659"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "secure@microsoft.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}]}, "product": "azure_data_factory", "vendor": "microsoft"}], "analysis": {"en": {"generated_at": "2026-03-19T22:51:05.711319+00:00", "value": {"mitigation_remediation": ["Follow the Microsoft Azure Security Advisory for CVE-2026-23659 and apply any available patch or update immediately."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Data Disclosure"}, "threat_synthesis": {"affected_systems": "Microsoft Azure Data Factory is the affected vendor and product. No specific product or version numbers are provided in the available data, so all deployed instances of Azure Data Factory may be impacted, subject to the underlying configuration and network exposure.", "description_and_impact": "This vulnerability in Azure Data Factory allows an unauthorized attacker to disclose sensitive information over a network. The flaw is classified as CWE-200, indicating that information could be exposed without proper authorization, compromising the confidentiality of the data managed by the service.", "risk_and_exploitability": "The CVSS score of 8.6 classifies it as high severity, suggesting substantial potential data loss if exploited. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, implying that known public exploits may not yet exist. Based on the description, the likely attack vector is remote network exploitation; an attacker would need network access to the Azure Data Factory service and could trigger the information disclosure by interacting with exposed interfaces. The risk is high because of the confidentiality impact, but exploitation may require specific environmental conditions that are not fully detailed."}}}}, "created": "2026-03-20T08:55:57.592968+00:00", "updated": "2026-03-20T11:06:07.463365+00:00", "vendors": ["microsoft", "microsoft$PRODUCT$azure_data_factory"]}