Description
Azure Entra ID Elevation of Privilege Vulnerability
Published: 2026-01-22
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Elevation of Privilege
Action: Apply Patch
AI Analysis

Impact

The CVE identifies an access‑control flaw in Microsoft Entra ID that could allow an attacker to obtain privileges beyond those they should have. The brief description states that unauthorized elevation is possible. Based on the CWE‑285 labeling, it is inferred that the flaw could be exploited to perform actions that an authenticated user should not be able to carry out, potentially compromising confidentiality, integrity, or availability of the service.

Affected Systems

Microsoft Entra ID is the affected product. No specific version ranges are listed in the CNA data; all deployments may need to verify against Microsoft’s update guide.

Risk and Exploitability

The CVSS score of 9.3 signals a high severity for remote exploitation, but EPSS indicates a very low probability of enterprise exploitation (<1%). The vulnerability is not currently listed in the CISA KEV catalog. It is inferred that the attack vector could be remote, but the CVE does not specify required conditions; the high score suggests that if exploited, the impact would be significant. Overall risk is tempered by the low EPSS but remains high per the severity metric.

Generated by OpenCVE AI on April 16, 2026 at 07:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the vendor‑supplied patch or update for Microsoft Entra ID provided by Microsoft’s security update guide.
  • Reconfigure role‑based access controls to ensure users possess only the minimum permissions needed for their functions, consistent with the CWE‑285 guidance on proper authorization controls.
  • Enable and review audit logs for privileged actions in Entra ID to detect any unauthorized elevation attempts.

Generated by OpenCVE AI on April 16, 2026 at 07:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 03 Feb 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft entra Id
CPEs cpe:2.3:a:microsoft:entra_id:-:*:*:*:*:*:*:*
Vendors & Products Microsoft entra Id

Fri, 23 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Azure Entra ID Elevation of Privilege Vulnerability
Title Azure Entra ID Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft microsoft Entra Id
Weaknesses CWE-285
CPEs cpe:2.3:a:microsoft:microsoft_entra_id:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft microsoft Entra Id
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Entra Id Microsoft Entra Id
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-01T13:49:25.092Z

Reserved: 2026-01-21T21:28:02.969Z

Link: CVE-2026-24305

cve-icon Vulnrichment

Updated: 2026-01-23T13:27:29.637Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-22T23:15:58.667

Modified: 2026-02-03T12:46:12.437

Link: CVE-2026-24305

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T07:45:06Z

Weaknesses