Description
Origin validation error in Microsoft Entra ID allows an unauthorized attacker to elevate privileges over a network.
Published: 2026-05-22
Score: 10 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an origin validation error in Microsoft Entra ID that permits an attacker who is not authorized to gain elevated privileges over a network. Because the origin of requests is not properly verified, an attacker can masquerade as a legitimate user or service and gain unauthorized administrative access. This leads to complete control over the Entra ID tenant, allowing the attacker to create or modify identities, delete objects, or alter policy settings.

Affected Systems

This flaw affects Microsoft Entra ID, the cloud identity platform provided by Microsoft. All versions that include the affected component, as identified by the CNA, are impacted; specific version details were not disclosed in the advisory, so organizations should verify whether they are running the product version that is known to be vulnerable.

Risk and Exploitability

The CVSS score of 10 indicates a critical severity. No EPSS score is presented, so the probability of exploitation is not quantified, but the lack of an available exploit score does not diminish the risk because the vulnerability allows direct privilege escalation. The vendor has not listed this issue in the CISA KEV catalog. The likely attack vector is remote, network‑based; an attacker would need to send a crafted request that bypasses origin verification to the Entra ID endpoint. Because the flaw is in origin validation, any network path that can reach the service can be used.

Generated by OpenCVE AI on May 22, 2026 at 23:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update all Microsoft Entra ID instances to the latest available release that contains the fix for CVE‑2026‑42901.
  • Configure network segmentation to restrict access to the Entra ID service to trusted IP addresses or VNet service endpoints until the fix is in place.
  • Enforce strict origin verification by enabling any available supervisor policies or conditional access controls that limit which domains or applications can invoke Entra ID APIs.
  • As a temporary measure, monitor logs for unusual authentication or token issuance events that could indicate exploitation of origin validation failures and investigate immediately.

Generated by OpenCVE AI on May 22, 2026 at 23:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 23 May 2026 04:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 22 May 2026 22:30:00 +0000

Type Values Removed Values Added
Description Origin validation error in Microsoft Entra ID allows an unauthorized attacker to elevate privileges over a network.
Title Microsoft Entra ID Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft microsoft Entra Id
Weaknesses CWE-346
CPEs cpe:2.3:a:microsoft:microsoft_entra_id:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft microsoft Entra Id
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Microsoft Entra Id
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-05-23T03:19:46.156Z

Reserved: 2026-04-30T22:35:54.967Z

Link: CVE-2026-42901

cve-icon Vulnrichment

Updated: 2026-05-23T03:19:25.993Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T23:30:03Z

Weaknesses