CVE-2026-26139 describes a server-side request forgery (SSRF) vulnerability discovered in Microsoft Purview. This flaw allows an attacker to potentially elevate privileges and gain unauthorized access to network resources. The vulnerability impacts versions 1.0.0 and earlier, with a fix available in version 2.5.4. Microsoft has released an advisory and patch to address this issue.
The SSRF vulnerability in Microsoft Purview allows an attacker to craft malicious requests that the Purview service will execute on behalf of the attacker. This can lead to unauthorized access to internal resources, data exfiltration, and potentially even privilege escalation. An attacker could, for example, use this vulnerability to scan internal networks for open ports or access sensitive data stored on internal servers. The blast radius extends to any network resources accessible by the Purview service, potentially impacting multiple systems and data stores. While no direct precedent exists for this specific SSRF, SSRF vulnerabilities generally pose a significant risk due to their ability to bypass security controls and access internal resources.
CVE-2026-26139 was publicly disclosed on March 19, 2026. The vulnerability's severity is rated HIGH (CVSS 8.6). There are currently no publicly available proof-of-concept exploits. It is not listed on the CISA KEV catalog at the time of this writing. The potential for exploitation exists due to the ease of SSRF exploitation and the potential impact on sensitive data and internal systems.
Organizations heavily reliant on Microsoft Purview for data governance and compliance are at significant risk. Specifically, deployments with extensive network access granted to the Purview service, or those using older versions (1.0.0 and earlier) are particularly vulnerable. Shared hosting environments utilizing Microsoft Purview also face increased risk due to potential cross-tenant exploitation.
• windows / supply-chain:
Get-WinEvent -LogName Application -Filter "EventID = 1000 -Message *= 'Purview SSRF attempt'"• windows / supply-chain:
Get-Process -Name "PurviewService" | Select-Object -ExpandProperty Path | ForEach-Object { Get-ChildItem $_ -Recurse | Where-Object {$_.Name -like "*.log"} }• generic web:
Use curl or wget to test for SSRF by attempting to access internal resources through the Purview service. For example, curl http://purview-service/http://internal-server.
disclosure
漏洞利用状态
EPSS
0.09% (25% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-26139 is to upgrade Microsoft Purview to version 2.5.4 or later, which includes the necessary fix. If immediate upgrading is not possible, consider implementing temporary workarounds such as restricting network access for the Purview service to only the necessary resources. Implement strict input validation and sanitization to prevent malicious requests from being processed. Consider deploying a Web Application Firewall (WAF) with SSRF protection rules to filter out potentially malicious requests. After upgrading, confirm the fix by attempting to trigger the SSRF vulnerability and verifying that the request is blocked or handled securely.
应用 Microsoft 提供的 Microsoft Purview 安全更新。此更新修复了允许未经授权的攻击者在网络上提升权限的服务器端请求伪造 (SSRF) 漏洞。请参阅 Microsoft 更新指南以获取详细说明。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-26139 is a server-side request forgery vulnerability in Microsoft Purview allowing attackers to potentially elevate privileges and access internal network resources.
If you are using Microsoft Purview versions 1.0.0 or earlier, you are affected by this vulnerability. Upgrade to version 2.5.4 or later to mitigate the risk.
The recommended fix is to upgrade Microsoft Purview to version 2.5.4 or later. As a temporary workaround, restrict network access and implement input validation.
As of the current date, there are no confirmed reports of active exploitation, but the potential for exploitation exists due to the nature of SSRF vulnerabilities.
Refer to the official Microsoft security advisory for CVE-2026-26139 on the Microsoft Security Response Center website.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。