Description
Server-side request forgery (ssrf) in Azure Databricks allows an unauthorized attacker to elevate privileges over a network.
Published: 2026-04-02
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via Server‑Side Request Forgery
Action: Immediate Patch
AI Analysis

Impact

This vulnerability is a server‑side request forgery in Azure Databricks that allows an unauthorized attacker to send crafted requests to internal services. By exploiting the SSRF flaw, an attacker gains elevated network privileges, potentially accessing internal resources or performing actions beyond their assigned permissions. The weakness is classified as CWE‑918, indicating that the attack involves manipulating a vulnerable component into making unintended HTTP requests.

Affected Systems

Microsoft Azure Databricks is affected. No specific version information was provided, so all current deployments of Azure Databricks could be vulnerable unless mitigated by the vendor. Users should review their Azure Databricks environment for applied updates.

Risk and Exploitability

The CVSS v3 score is 10, indicating maximum severity. However, the EPSS score is below 1%, and the vulnerability is not listed in the CISA KEV catalog, suggesting a low current exploitation probability. The likely attack vector is network‑based, requiring the attacker to trigger the SSRF from within Azure Databricks, which may privilege-based or require access to certain endpoints. The impact range extends from a single user to the entire Azure Databricks cluster, depending on the privileges the attacker can elevate.

Generated by OpenCVE AI on April 6, 2026 at 21:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Azure Databricks security update or patch issued by Microsoft as listed in the Microsoft Security Response Center.
  • Verify that the patch has been successfully applied across all Azure Databricks workspaces.
  • After patching, monitor Azure Databricks logs for unexpected outbound requests that may indicate a residual SSRF attempt.
  • Restrict outbound network access from Azure Databricks to only necessary endpoints to reduce attack surface.

Generated by OpenCVE AI on April 6, 2026 at 21:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:microsoft:azure_databricks:-:*:*:*:*:*:*:*

Fri, 03 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Description Server-side request forgery (ssrf) in Azure Databricks allows an unauthorized attacker to elevate privileges over a network.
Title Azure Databricks Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft azure Databricks
Weaknesses CWE-918
CPEs cpe:2.3:a:microsoft:azure_databricks:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft azure Databricks
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Azure Databricks
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-30T14:41:46.184Z

Reserved: 2026-03-17T20:15:23.720Z

Link: CVE-2026-33107

cve-icon Vulnrichment

Updated: 2026-04-03T13:48:42.872Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T00:16:05.207

Modified: 2026-04-06T17:52:39.963

Link: CVE-2026-33107

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T07:55:20Z

Weaknesses