Description
Server-side request forgery (ssrf) in Azure Cloud Shell allows an unauthorized attacker to elevate privileges over a network.
Published: 2026-03-19
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a Server‑Side Request Forgery (CWE‑918) in Azure Cloud Shell that allows an unprivileged or unauthorized attacker to send crafted requests to internal or external services, resulting in elevation of privileges over the network. By exploiting the SSRF flaw, an attacker could access resources that are normally restricted, potentially compromising confidentiality, integrity, or availability of data or services exposed through Azure Cloud Shell.

Affected Systems

Affected systems are Microsoft Azure Cloud Shell. No specific version information is provided in the CVE data; all variants of the product are potentially impacted.

Risk and Exploitability

The CVSS score of 10 indicates a critical severity level. The EPSS score is not available, and the vulnerability is not listed under CISA’s KEV catalog. The likely attack vector is via a network request originating from an Azure Cloud Shell session, inferring that an attacker with access to initiate Azure Shell sessions can trigger the SSRF. Exploitation would involve the attacker constructing malicious requests that the Shell forwards to internal services, thereby achieving privilege escalation within the Azure environment.

Generated by OpenCVE AI on March 19, 2026 at 22:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check Microsoft’s Azure Cloud Shell update guide for any available patches or updates and apply them as soon as possible. If no patch is available, monitor Azure Cloud Shell activity logs for unusual outbound network requests and consider implementing network segmentation or firewall rules to restrict internal service access from the cloud shell environment.

Generated by OpenCVE AI on March 19, 2026 at 22:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Description Server-side request forgery (ssrf) in Azure Cloud Shell allows an unauthorized attacker to elevate privileges over a network.
Title Azure Cloud Shell Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft azure Cloud Shell
Weaknesses CWE-918
CPEs cpe:2.3:a:microsoft:azure_cloud_shell:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft azure Cloud Shell
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Azure Cloud Shell
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-09T23:25:55.748Z

Reserved: 2026-03-10T23:09:43.266Z

Link: CVE-2026-32169

cve-icon Vulnrichment

Updated: 2026-03-20T17:07:40.274Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-19T21:17:10.233

Modified: 2026-03-20T13:39:46.493

Link: CVE-2026-32169

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T11:06:12Z

Weaknesses