CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2026-32213

CVSS 10.0v3.1pub. 2026-04-03upd. 2026-04-06

Improper authorization in Azure AI Foundry allows an unauthorized attacker to elevate privileges over a network.

🤖 AI Analysis
How it works

The vulnerability results from improper implementation of access controls in the Azure AI Foundry service. An attacker operating remotely, without needing to possess an account or permissions, can send an appropriately crafted network request that bypasses authorization mechanisms. As a result, the attacker gains a higher level of access than they are entitled to, which in the context of a cloud environment (Scope: Changed) means potential breach of isolation boundaries between resources.

Impact

An unauthorized attacker can obtain elevated privileges in the Azure AI Foundry environment, which according to the CVSS vector leads to complete breach of confidentiality, integrity, and availability of resources. This may include access to third-party data, modification of resources, or disruption of service operations.

Mitigation & patch

Security patches available from the vendor should be applied according to the references: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32213. In the case of services managed by Microsoft (SaaS/PaaS), the update may be deployed automatically on the vendor's side — verification of status in Microsoft Security Response Center is recommended.

Who is affected

Microsoft Azure AI Foundry — versions indicated in vendor references

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Microsoft Azure Ai Foundry

    APP
    Microsoft
    wszystkie wersje
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2026-35435HIGH8.6ten sam produkt

Improper access control in Azure AI Foundry M365 published agents allows an unauthorized attacker to elevate p...

CVE-2026-8398CRITICAL9.3⚠ KEVPL ✓ten sam vendor

Atak na łańcuch dostaw DAEMON Tools Lite — trojanizacja instalatorów

CVE-2026-20963CRITICAL9.8⚠ KEVPL ✓ten sam vendor

RCE przez deserializację niezaufanych danych w Microsoft SharePoint Server

CVE-2025-59287CRITICAL9.8⚠ KEVPL ✓ten sam vendor

RCE w Windows Server Update Service (WSUS) — deserializacja danych

CVE-2025-10585CRITICAL9.8⚠ KEVPL ✓ten sam vendor

Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty