Description
Server-side request forgery (ssrf) in Microsoft Purview allows an unauthorized attacker to elevate privileges over a network.
Published: 2026-04-23
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via SSRF
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a server‑side request forgery that allows an attacker with unauthorized access to send crafted HTTP requests to internal resources within the Microsoft Purview eDiscovery service. This flaw can lead to privilege escalation, allowing the attacker to gain higher level permissions than permitted by their original credentials. The weakness corresponds to CWE‑918, a form of SSRF.

Affected Systems

Microsoft Purview eDiscovery is the affected product. The vulnerability applies to all installed versions for which the vendor has not yet released an update, as no specific version range is provided in the CNA data. Users should check the Microsoft Security Update Guide for the latest fix.

Risk and Exploitability

The CVSS score of 8.6 indicates high severity. The EPSS score of less than 1 % suggests that the probability of exploitation in the wild is low at the time of analysis, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, the flaw can be exploited remotely if the Purview service is reachable from the attacker’s network, enabling an elevation of privilege. An attacker would need to craft a request that causes the service to fetch a resource internally, thereby bypassing authentication checks.

Generated by OpenCVE AI on April 28, 2026 at 07:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Microsoft security update for CVE‑2026‑26150 as soon as it is available.
  • Restrict network access to the Purview eDiscovery service, allowing only trusted internal IP ranges or VPNs.
  • If an immediate patch is not possible, use the WAF or firewall to block outbound HTTP requests originating from Purview that target internal endpoints or block the SSRF entry points.
  • Monitor Purview logs for unauthorized outbound requests and raise alerts.

Generated by OpenCVE AI on April 28, 2026 at 07:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft purview Ediscovery
CPEs cpe:2.3:a:microsoft:purview_ediscovery:-:*:*:*:*:*:*:*
Vendors & Products Microsoft purview Ediscovery

Tue, 28 Apr 2026 22:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 22:00:00 +0000

Type Values Removed Values Added
Description Server-side request forgery (ssrf) in Microsoft Purview allows an unauthorized attacker to elevate privileges over a network.
Title Microsoft Purview eDiscovery Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft office Purview Ediscovery
Weaknesses CWE-918
CPEs cpe:2.3:a:microsoft:office_purview_ediscovery:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft office Purview Ediscovery
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Office Purview Ediscovery Purview Ediscovery
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-01T19:13:37.631Z

Reserved: 2026-02-11T16:24:51.135Z

Link: CVE-2026-26150

cve-icon Vulnrichment

Updated: 2026-04-24T14:55:12.221Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-23T22:16:23.177

Modified: 2026-04-29T19:10:35.600

Link: CVE-2026-26150

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T07:30:26Z

Weaknesses