Description
Server-side request forgery (ssrf) in Microsoft Purview allows an unauthorized attacker to elevate privileges over a network.
Published: 2026-03-19
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Elevation of Privilege via Server‑Side Request Forgery
Action: Patch
AI Analysis

Impact

Microsoft Purview is vulnerable to a server‑side request forgery that allows an unauthenticated attacker to trigger the service to make outbound requests, potentially giving the attacker the ability to reach internal resources and elevate privileges, which aligns with CWE‑918.

Affected Systems

All deployments of Microsoft Purview, also known as Office Purview, are potentially affected because the CVE entry does not list specific version constraints.

Risk and Exploitability

The flaw carries a CVSS score of 8.6 and an EPSS score of less than 1 %, indicating high severity but low likelihood of exploitation; the vulnerability is not listed in CISA’s KEV catalog, and while no public exploit has been reported, the typical exploitation path would involve crafting requests that cause Purview to resolve arbitrary URLs – a mechanism that is inferred from the description of a server‑side request forgery.

Generated by OpenCVE AI on March 24, 2026 at 19:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Microsoft Purview security update from the Microsoft Security Response Center.
  • If a patch is not yet available, restrict Purview’s outbound traffic to only required destinations.
  • Monitor Purview logs for suspicious external request activity.
  • Employ network segmentation and least‑privilege controls around Purview services.

Generated by OpenCVE AI on March 24, 2026 at 19:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft purview
CPEs cpe:2.3:a:microsoft:purview:-:*:*:*:*:*:*:*
Vendors & Products Microsoft purview

Mon, 23 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Description Server-side request forgery (ssrf) in Microsoft Purview allows an unauthorized attacker to elevate privileges over a network.
Title Microsoft Purview Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft office Purview
Weaknesses CWE-918
CPEs cpe:2.3:a:microsoft:office_purview:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft office Purview
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:P/RL:O/RC:C'}

Subscriptions

Microsoft Office Purview Purview
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-09T23:25:57.217Z

Reserved: 2026-02-11T16:24:51.134Z

Link: CVE-2026-26138

cve-icon Vulnrichment

Updated: 2026-03-20T20:19:10.348Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T21:17:08.217

Modified: 2026-03-24T17:15:19.500

Link: CVE-2026-26138

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:54:50Z

Weaknesses