Microsoft has disclosed a critical Server-Side Request Forgery (SSRF) vulnerability in Microsoft Purview eDiscovery, tracked as CVE-2026-26150, that allows unauthenticated remote attackers to elevate their privileges across a network.
Released on April 23, 2026, the flaw carries a CVSS base score of 8.6 (Critical). It has already been fully patched on the server side by Microsoft, requiring no action from enterprise users or administrators.
CVE-2026-26150 is rooted in a Server-Side Request Forgery (SSRF) weakness (CWE-918) in Microsoft Purview eDiscovery, a compliance tool used by enterprises to search, hold, and export content across Microsoft 365 environments for legal and regulatory purposes.
Microsoft Purview SSRF Vulnerability
The vulnerability allows an unauthorized attacker to forge server-side HTTP requests, effectively tricking the backend service into accessing internal resources it should not access, ultimately resulting in network-wide privilege escalation.
The flaw was assigned by Microsoft’s own CNA (Certificate Numbering Authority) and acknowledged via the Microsoft Security Response Center (MSRC) on April 23, 2026, as part of the company’s expanding Cloud Service CVE transparency initiative.
The technical severity of CVE-2026-26150 is reflected in its CVSS 3.1 vector string:CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
| Metric | Value |
|---|---|
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Changed |
| Confidentiality Impact | High |
| Integrity Impact | None |
| Availability Impact | None |
| CVSS Base Score | 8.6 (Critical) |
| Temporal Score | 7.5 |
| Exploit Code Maturity | Unproven |
| Remediation Level | Official Fix |
What makes CVE-2026-26150 particularly alarming is the combination of no authentication required (PR:N), no user interaction (UI:N), and changed scope (S:C), meaning a successful exploit can impact resources beyond the vulnerable component itself.
The high confidentiality impact (C:H) indicates that sensitive organizational data stored in Purview eDiscovery cases, including legal holds, search exports, and compliance content, could be exposed during exploitation.
SSRF vulnerabilities exploit a server’s trust in itself to make unauthorized requests to internal services, cloud metadata endpoints, or protected backend infrastructure, all originating from the server’s trusted identity.
In the context of Microsoft Purview eDiscovery, which operates within a shared cloud environment processing sensitive enterprise compliance data, a successful SSRF exploit could allow an attacker to:
- Access internal cloud metadata services (e.g., Azure IMDS endpoints) to retrieve access tokens
- Pivot to internal services unreachable from the public internet
- Forge requests that impersonate elevated service identities
- Extract sensitive eDiscovery content, including legal holds and custodian data
This exploitation pathway aligns with a broader pattern of SSRF-to-privilege-escalation attacks observed across Microsoft’s cloud-native services. An earlier related flaw, CVE-2026-26138, similarly targeted Microsoft Purview as an elevation-of-privilege vector and was disclosed in March 2026.
Mitigation
Unlike most CVEs that demand immediate patching by enterprise teams, CVE-2026-26150 requires zero customer action. Microsoft has fully mitigated the vulnerability at the service level.
The patch has already been deployed on the backend infrastructure. The CVE was published solely to maintain transparency about cloud-service security incidents, consistent with Microsoft’s “Toward Greater Transparency: Unveiling Cloud Service CVEs” initiative.
This initiative reflects Microsoft’s shift toward proactively disclosing cloud-service vulnerabilities even when customers are not required to take any remedial steps, a notable improvement in enterprise trust and security communication.
Microsoft Purview eDiscovery is not a trivial service; it is deeply integrated into enterprise compliance workflows, providing three core solutions: Content Search, eDiscovery (Standard), and eDiscovery (Premium).
Organizations use it to process sensitive litigation holds, regulatory inquiries, and internal investigations. This makes it a prime target for threat actors seeking access to confidential communications, legal strategies, and intellectual property.
Security researchers have noted that role misconfigurations within Purview, such as assigning external parties to the eDiscovery Manager role instead of restricted Reviewer roles, can further amplify the blast radius of privilege escalation flaws.
Enterprises are strongly advised to audit their eDiscovery role group assignments in the Microsoft Purview Compliance Portal, even though no patch action is required for CVE-2026-26150 itself.
The vulnerability was not publicly disclosed before the official CVE publication, and there is no evidence of active exploitation in the wild at the time of release. The exploit code maturity is currently rated as “Unproven” with Report Confidence Confirmed by Microsoft.
Recommendations
While no patch is required, security teams should take the following precautionary steps:
- Audit eDiscovery role assignments in the Microsoft Purview Compliance Portal, ensuring only authorized personnel hold eDiscovery Manager roles
- Review Unified Audit Logs for any anomalous access patterns targeting eDiscovery cases around and before April 23, 2026
- Apply the principle of least privilege across Microsoft 365 compliance roles to minimize lateral movement risk
- Monitor Microsoft MSRC advisories for any updates or revisions to CVE-2026-26150’s exploitability assessment
- Enable Microsoft Purview sensitivity labels to restrict unauthorized access to compliance data
FAQ
Q1: What is CVE-2026-26150?
CVE-2026-26150 is a critical SSRF-based Elevation of Privilege vulnerability (CVSS 8.6) in Microsoft Purview eDiscovery, disclosed on April 23, 2026.
Q2: Do organizations need to patch CVE-2026-26150?
No, Microsoft has fully mitigated this vulnerability on the server side; no customer or administrator action is required.
Q3: Is CVE-2026-26150 being actively exploited?
No, Active exploitation has been observed, and exploit code maturity is currently rated “Unproven” by Microsoft.
Q4: Why did Microsoft issue a CVE if no patch is needed?
Microsoft issued this CVE as part of its cloud transparency initiative to inform enterprises about security risks that are proactively addressed at the service level.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
