Description
Payment Orchestrator Service Elevation of Privilege Vulnerability
Published: 2026-03-05
Score: 8.6 High
EPSS: 1.2% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Payment Orchestrator Service contains a flaw that enables an attacker to gain higher privileges than intended. The vulnerability is classified as CWE‑306, indicating that authentication requirements before authorization are missing or insufficient, allowing elevation of privilege. Attackers can potentially manipulate payment functions or access sensitive data. The precise mechanism is not disclosed, but the title suggests the flaw permits bypass of security controls within the service.

Affected Systems

Microsoft Payment Orchestrator Service is impacted. No specific version information is listed in the CNA data, so all released versions may be susceptible until a patch is provided.

Risk and Exploitability

The CVSS score of 8.6 classifies the issue as high severity. EPSS is reported as 1 %, indicating a very low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. The attack vector is not specified; it is inferred the flaw may involve inadequate authentication checks within the service, possibly exploitable by local or remote actors depending on configuration.

Generated by OpenCVE AI on June 18, 2026 at 10:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Microsoft patch for CVE‑2026-26125 as soon as it is available
  • Limit the permissions granted to the Payment Orchestrator Service account to the minimum required for operation
  • Enable auditing and monitor logs for any unauthorized elevation of privilege attempts

Generated by OpenCVE AI on June 18, 2026 at 10:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:microsoft:payment_orchestrator_service:-:*:*:*:*:*:*:*

Mon, 09 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 05 Mar 2026 22:45:00 +0000

Type Values Removed Values Added
Description Payment Orchestrator Service Elevation of Privilege Vulnerability
Title Payment Orchestrator Service Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft payment Orchestrator Service
Weaknesses CWE-306
CPEs cpe:2.3:a:microsoft:payment_orchestrator_service:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft payment Orchestrator Service
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:P/RL:O/RC:C'}


Subscriptions

Microsoft Payment Orchestrator Service
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-19T18:17:55.743Z

Reserved: 2026-02-11T15:52:13.911Z

Link: CVE-2026-26125

cve-icon Vulnrichment

Updated: 2026-03-09T20:27:34.868Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T23:16:20.160

Modified: 2026-06-17T10:25:46.140

Link: CVE-2026-26125

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T10:45:03Z

Weaknesses