Description
Server-side request forgery (ssrf) in Azure Custom Locations Resource Provider (RP) allows an authorized attacker to elevate privileges over a network.
Published: 2026-04-02
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Elevation of Privilege
Action: Apply Patch
AI Analysis

Impact

A server‐side request forgery flaw exists in the Azure Custom Locations Resource Provider that can be abused by an authorized user. By causing the provider to access arbitrary URLs, an attacker can obtain unauthorized access or modify resources, effectively elevating their permissions within the Azure environment. The weakness is classified as CWE‑918 and results in unauthorized privilege escalation.

Affected Systems

The vulnerability affects the Microsoft Azure Custom Locations Resource Provider. No affected‐version data is available in the CVE payload, so administrators should assume that any deployment of the provider may be vulnerable until Microsoft releases a patch. Future updates from Microsoft will specify the fixed versions.

Risk and Exploitability

The CVSS score of 9.6 signals critical severity, yet the EPSS score of less than 1 % indicates that real‑world exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a user with legitimate access to the provider’s operations and the ability to influence its outbound network requests. Successful exploitation could allow the attacker to gain broader privileges within the associated Azure subscription or compromise other resources reachable from the network.

Generated by OpenCVE AI on April 6, 2026 at 21:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Microsoft security update for the Azure Custom Locations Resource Provider via the Microsoft Security Response Center
  • Restrict the provider’s outbound network calls using Azure Network Security Groups or Azure Firewall rules to prevent access to untrusted destinations
  • If a patch is not yet available, remove or disable the Custom Locations Resource Provider from subscriptions that do not require it
  • Enable Azure Activity Log alerts for Custom Locations operations and monitor for anomalous request patterns
  • Ensure that only trusted, principle‑of‑least‑privilege users have permissions to manage the Custom Locations Resource Provider

Generated by OpenCVE AI on April 6, 2026 at 21:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:microsoft:azure_custom_locations_resource_provider:-:*:*:*:*:*:*:*

Fri, 03 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Description Server-side request forgery (ssrf) in Azure Custom Locations Resource Provider (RP) allows an authorized attacker to elevate privileges over a network.
Title Azure Custom Locations Resource Provider (RP) Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft azure Custom Locations Resource Provider
Weaknesses CWE-918
CPEs cpe:2.3:a:microsoft:azure_custom_locations_resource_provider:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft azure Custom Locations Resource Provider
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Azure Custom Locations Resource Provider
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-30T14:42:45.819Z

Reserved: 2026-02-11T16:24:51.133Z

Link: CVE-2026-26135

cve-icon Vulnrichment

Updated: 2026-04-03T12:53:36.158Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T00:16:04.353

Modified: 2026-04-06T17:51:15.783

Link: CVE-2026-26135

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T07:55:19Z

Weaknesses