Description
Improper neutralization of special elements in output used by a downstream component ('injection') in Azure Machine Learning allows an unauthorized attacker to perform spoofing over a network.
Published: 2026-05-12
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of special elements in output used by a downstream component in Azure Machine Learning enables an unauthorized attacker to perform spoofing over a network, potentially allowing the attacker to impersonate legitimate traffic and manipulate or intercept communications. The weakness is an injection type vulnerability that fails to sanitize output, giving an attacker a pathway to substitute or fake data in transit.

Affected Systems

Microsoft Azure Machine Learning services are affected, though specific product versions are not listed in the advisory. All deployments that expose notebooks or downstream components without proper output filtering could be vulnerable.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.2, indicating high severity. The EPSS score is not available, but the absence of a KEV listing suggests no publicly known exploitation as of now. The likely attack vector is remote injection via unsanitized data rendered in notebooks, requiring network access to the Azure Machine Learning portal or services. The impact is limited to spoofing rather than full code execution, yet it can enable attackers to impersonate legitimate traffic and potentially facilitate further attacks.

Generated by OpenCVE AI on May 12, 2026 at 19:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Azure Machine Learning update that fixes the injection issue.
  • Restrict network access to Azure Machine Learning endpoints, limiting exposure to unauthorized traffic.
  • Configure network security groups or firewalls to block spoofing attempts and monitor for anomalous connections.
  • Ensure all data displayed in notebooks is properly sanitized and escaped before rendering.
  • Review and tighten user permissions and notebook configurations within Azure Machine Learning.

Generated by OpenCVE AI on May 12, 2026 at 19:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Improper neutralization of special elements in output used by a downstream component ('injection') in Azure Machine Learning allows an unauthorized attacker to perform spoofing over a network.
Title Azure Machine Learning Notebook Spoofing Vulnerability
First Time appeared Microsoft
Microsoft azure Machine Learning
Weaknesses CWE-74
CPEs cpe:2.3:a:microsoft:azure_machine_learning:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft azure Machine Learning
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Azure Machine Learning
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-05-12T17:54:08.065Z

Reserved: 2026-03-24T00:52:01.353Z

Link: CVE-2026-33833

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T18:17:05.160

Modified: 2026-05-12T18:17:05.160

Link: CVE-2026-33833

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T19:30:23Z

Weaknesses