Platform
windows
Component
microsoft-purview
Fixed in
2.5.4
CVE-2026-26138 describes a server-side request forgery (SSRF) vulnerability within Microsoft Purview. This flaw allows an unauthorized attacker to potentially escalate privileges and gain access to resources on a network. The vulnerability impacts versions 1.0.0 and earlier, with a fix available in version 2.5.4.
The SSRF vulnerability in Microsoft Purview enables an attacker to craft malicious requests that the Purview service will execute on behalf of the attacker. This can lead to unauthorized access to internal network resources, potentially exposing sensitive data or allowing the attacker to perform actions they shouldn't be able to. Successful exploitation could involve accessing internal APIs, reading configuration files, or even interacting with other services within the network. The blast radius extends to any internal resource accessible via HTTP/HTTPS requests initiated by the Purview service, making it a significant security concern.
CVE-2026-26138 was publicly disclosed on 2026-03-19. Currently, there are no publicly available proof-of-concept exploits. The EPSS score is pending evaluation, but the SSRF nature of the vulnerability suggests a potential for medium to high exploitation probability given sufficient attacker knowledge and access. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns.
Exploit Status
EPSS
0.09% (26% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-26138 is to upgrade Microsoft Purview to version 2.5.4 or later, which includes the necessary fix. If immediate upgrading is not feasible, consider implementing temporary workarounds such as restricting outbound network access for the Purview service to only necessary destinations. Employing a Web Application Firewall (WAF) with SSRF protection rules can also help to block malicious requests. Regularly review and audit network configurations to identify and minimize potential attack surfaces.
Microsoft has released a security update for Microsoft Purview that addresses this vulnerability. Apply the latest update provided by Microsoft to mitigate the risk of privilege escalation via SSRF. Refer to the Microsoft update guidance for detailed instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-26138 is a server-side request forgery vulnerability in Microsoft Purview allowing unauthorized privilege escalation. It has a CVSS score of 8.6 (HIGH).
Yes, if you are using Microsoft Purview versions 1.0.0 or earlier, you are affected by this SSRF vulnerability.
Upgrade Microsoft Purview to version 2.5.4 or later to remediate the vulnerability. Consider temporary workarounds like restricting outbound network access if immediate upgrade is not possible.
Currently, there are no publicly known active exploitation campaigns, but the SSRF nature of the vulnerability warrants vigilance.
Refer to the official Microsoft security advisory for CVE-2026-26138 on the Microsoft Security Response Center website.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.