Description
Improper neutralization of input during web page generation ('cross-site scripting') in Azure Machine Learning allows an unauthorized attacker to perform spoofing over a network.
Published: 2026-05-07
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of user input during web page generation in Azure Machine Learning results in a cross‑site scripting vulnerability that can be leveraged by an unauthorized attacker to perform spoofing over a network. The flaw allows malicious scripts to be injected into notebooks, potentially masquerading the identity of the notebook or the portal and tricking users into interacting with forged content. This can lead to disclosure of sensitive information and unauthorized actions within the Azure environment.

Affected Systems

Microsoft Azure Machine Learning components are affected. No specific patch version is listed in the advisory, so all deployments of Azure Machine Learning that have not applied the vendor’s fix for CVE‑2026‑32207 remain vulnerable.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity vulnerability. While an EPSS score is not available, the lack of a KEV listing suggests that no large‑scale exploitation is currently documented. The likely attack vector involves injecting malicious script payloads into a notebook that is later viewed or executed by a target user. If successful, the attacker can spoof the notebook’s origin and potentially steal credentials or manipulate computations.

Generated by OpenCVE AI on May 7, 2026 at 22:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any Azure Machine Learning update that includes the fix for CVE‑2026‑32207.
  • Implement a Content Security Policy that disallows inline scripts and blocks external script execution for notebooks.
  • Restrict notebook upload and execution permissions to trusted users and monitor activity for suspicious script injection attempts.

Generated by OpenCVE AI on May 7, 2026 at 22:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description Improper neutralization of input during web page generation ('cross-site scripting') in Azure Machine Learning allows an unauthorized attacker to perform spoofing over a network.
Title Azure Machine Learning Notebook Spoofing Vulnerability
First Time appeared Microsoft
Microsoft azure Machine Learning
Weaknesses CWE-79
CPEs cpe:2.3:a:microsoft:azure_machine_learning:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft azure Machine Learning
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Azure Machine Learning
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-05-07T20:58:51.273Z

Reserved: 2026-03-11T01:49:58.659Z

Link: CVE-2026-32207

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-07T22:16:33.900

Modified: 2026-05-07T22:16:33.900

Link: CVE-2026-32207

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T22:30:36Z

Weaknesses