CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2026-32169

CVSS 10.0v3.1pub. 2026-03-19upd. 2026-04-14

Server-side request forgery (ssrf) in Azure Cloud Shell allows an unauthorized attacker to elevate privileges over a network.

🤖 AI Analysis
How it works

The vulnerability is an SSRF class error (CWE-918), in which a server application — in this case Azure Cloud Shell — can be induced to perform network requests on behalf of an attacker without his authentication. A remote attacker, without any user interaction and without possessing an account, sends crafted requests that are processed by the server on the Azure infrastructure side. The attack vector is network, complexity is low, and the scope of impact extends beyond the original component (Scope: Changed), which means the ability to impact other resources in the cloud environment.

Impact

Successful exploitation of the vulnerability may allow an attacker to escalate privileges in the Azure environment, and given the CVSS values indicating full impact on confidentiality, integrity and availability — potentially complete takeover of resources available from Azure Cloud Shell.

Mitigation & patch

Apply patches available from the vendor according to the references — detailed information is available in Microsoft Security Response Center at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32169. As a supplementary measure, it is recommended to restrict access to Azure Cloud Shell only to trusted and authenticated users and to monitor outbound traffic from cloud services.

Who is affected

Microsoft Azure Cloud Shell — versions indicated in the vendor's references

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Microsoft Azure Cloud Shell

    APP
    Microsoft
    wszystkie wersje
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
SSRF
CWE
References

Related vulnerabilities

CVE-2026-35428CRITICAL9.6PL ✓ten sam produkt

Command injection w Microsoft Azure Cloud Shell umożliwiający spoofing

CVE-2026-8398CRITICAL9.3⚠ KEVPL ✓ten sam vendor

Atak na łańcuch dostaw DAEMON Tools Lite — trojanizacja instalatorów

CVE-2026-20963CRITICAL9.8⚠ KEVPL ✓ten sam vendor

RCE przez deserializację niezaufanych danych w Microsoft SharePoint Server

CVE-2025-59287CRITICAL9.8⚠ KEVPL ✓ten sam vendor

RCE w Windows Server Update Service (WSUS) — deserializacja danych

CVE-2025-10585CRITICAL9.8⚠ KEVPL ✓ten sam vendor

Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty