Microsoft Purview is vulnerable to a server‑side request forgery that can be exploited by an unauthorized attacker to elevate privileges over the network. This weakness, classified as CWE‑918, allows malicious input to be sent to the Purview service, enabling the attacker to perform actions normally restricted to higher‑privileged users. The effect is that an attacker could gain administrative control or reconfigure system settings, thereby compromising confidentiality, integrity, and availability of the Purview environment.

The affected product is Microsoft Purview, including its Office Purview component. No specific product versions are listed in the data, so any deployment of Microsoft Purview could be vulnerable. Administrators should verify whether their installation was released on or after the date of the identified vulnerability.

The CVSS score of 8.6 indicates a high severity of the bug. The EPSS score of less than 1% suggests a low likelihood of immediate exploitation, and the vulnerability is not part of the CISA Known Exploited Vulnerabilities catalog. The most likely attack vector involves a malicious user or compromised system within the Purview network exploiting the SSRF mechanism to send crafted requests to vulnerable endpoints, thereby gaining elevated privileges. Overall the risk is moderate to high for organizations with exposure to the Purview service, especially if internal network access is insufficiently restricted.