Description
Payment Orchestrator Service Elevation of Privilege Vulnerability
Published: 2026-03-05
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Elevation of Privilege
Action: Patch Immediately
AI Analysis

Impact

The Payment Orchestrator Service contains a flaw that enables an attacker to gain higher privileges than intended. The vulnerability is classified as CWE‑306, indicating that authentication requirements before authorization are missing or insufficient, allowing elevation of privilege. Attackers can potentially manipulate payment functions or access sensitive data. The precise mechanism is not disclosed, but the title suggests the flaw permits bypass of security controls within the service.

Affected Systems

Microsoft Payment Orchestrator Service is impacted. No specific version information is listed in the CNA data, so all released versions may be susceptible until a patch is provided.

Risk and Exploitability

The CVSS score of 8.6 classifies the issue as high severity. EPSS is reported as less than 1 %, indicating a very low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. The attack vector is not specified; it is inferred the flaw may involve inadequate authentication checks within the service, possibly exploitable by local or remote actors depending on configuration.

Generated by OpenCVE AI on April 15, 2026 at 15:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Microsoft patch for CVE‑2026-26125 as soon as it is available
  • Limit the permissions granted to the Payment Orchestrator Service account to the minimum required for operation
  • Enable auditing and monitor logs for any unauthorized elevation of privilege attempts

Generated by OpenCVE AI on April 15, 2026 at 15:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:microsoft:payment_orchestrator_service:-:*:*:*:*:*:*:*

Mon, 09 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 22:45:00 +0000

Type Values Removed Values Added
Description Payment Orchestrator Service Elevation of Privilege Vulnerability
Title Payment Orchestrator Service Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft payment Orchestrator Service
Weaknesses CWE-306
CPEs cpe:2.3:a:microsoft:payment_orchestrator_service:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft payment Orchestrator Service
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:P/RL:O/RC:C'}

Subscriptions

Microsoft Payment Orchestrator Service
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-14T16:36:21.324Z

Reserved: 2026-02-11T15:52:13.911Z

Link: CVE-2026-26125

cve-icon Vulnrichment

Updated: 2026-03-09T20:27:34.868Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T23:16:20.160

Modified: 2026-03-16T15:38:45.143

Link: CVE-2026-26125

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T17:00:07Z

Weaknesses