Microsoft has disclosed a critical Server-Side Request Forgery (SSRF) vulnerability, CVE-2026-35431, in Microsoft Entra ID Entitlement Management, with a maximum CVSS score of 10.0, that could allow an unauthenticated remote attacker to perform spoofing attacks across a network.
The vulnerability was publicly released on April 23, 2026, and has already been fully remediated by Microsoft with no customer action required.
CVE-2026-35431 is a critical-severity spoofing vulnerability rooted in a Server-Side Request Forgery (SSRF) flaw (CWE-918) affecting Microsoft Entra ID Entitlement Management, the cloud-native identity governance feature of the Entra ID platform.
In SSRF attacks, a malicious actor tricks the server into making unauthorized outbound requests to internal or external resources, effectively weaponizing the server’s own trust context to forge identities or exfiltrate sensitive data.
SSRF Vulnerability
The vulnerability is documented under the CVSS 3.1 vector string: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, which translates to a perfect base score of 10.0 (Critical) and a temporal score of 8.7.
This score reflects the most severe possible risk profile: network-accessible, low attack complexity, requiring no privileges or user interaction, with a changed scope impacting confidentiality, integrity, and availability, all rated High. Microsoft assigned the vulnerability the Coordinated Naming Authority (CNA) designation.
Microsoft Entra ID Entitlement Management is an identity governance solution that automates access requests, approvals, and lifecycle management for users across organizational resources, including groups, applications, and SharePoint sites.
When an SSRF flaw exists in such a component, an unauthorized attacker on the network can manipulate HTTP requests processed by the Entra ID service to reach internal endpoints that should be inaccessible, enabling full spoofing of user or service identities.
The attack vector is entirely network-based, requiring no local access or interaction with the victim, making this a zero-click, remote-exploitation scenario at its most dangerous.
With the scope marked as Changed, a successful exploit could pivot beyond the Entra ID service boundary, potentially compromising downstream cloud workloads, OAuth tokens, and administrative access in connected Microsoft 365 tenants.
The exploit code maturity is currently rated Unproven, meaning no public proof-of-concept or active in-the-wild exploitation has been confirmed at the time of disclosure.
Given Microsoft Entra ID’s role as the backbone of identity and access management for millions of enterprise deployments globally, a successful exploitation of CVE-2026-35431 could have had catastrophic downstream consequences.
Threat actors could have abused the spoofing capability to impersonate high-privilege users, including Global Administrators, and access sensitive data repositories such as Exchange mailboxes, SharePoint document libraries, and Azure Key Vault secrets, or establish persistent backdoor accounts across multi-tenant environments.
This vulnerability’s impact is further amplified in organizations operating hybrid identity environments where Entra ID synchronizes with on-premises Active Directory.
The Changed Scope metric in CVSS scoring is a particularly alarming indicator, signaling that a compromised component (Entra ID Entitlement Management) can directly impact resources outside its authorized scope, such as Azure subscriptions, cloud infrastructure, and third-party SaaS applications connected via Entra ID federation.
Remediation
Microsoft has confirmed that CVE-2026-35431 has been fully mitigated at the service level, meaning the fix was deployed directly to the Microsoft cloud infrastructure without requiring any patch installation or configuration changes from enterprise customers or end users.
This cloud-side remediation model aligns with Microsoft’s transparency initiative, which discloses cloud service CVEs publicly to inform the security community, even when no user action is needed.
Microsoft’s Exploitability Index rates the vulnerability as N/A for active exploitation, meaning no known attacks leveraged this flaw before the patch was deployed. The remediation level is classified as Official Fix, with report confidence rated Confirmed, providing high assurance that the remediation is complete and verified.
CVE-2026-35431 is not an isolated event. Microsoft Entra ID has faced a series of critical vulnerability disclosures in recent years, reflecting the growing interest of attackers in identity infrastructure as a high-value target.
In September 2025, CVE-2025-55241, a CVSS 10.0 elevation-of-privilege flaw was disclosed, allowing attackers to perform cross-tenant impersonation via crafted Actor Tokens, bypassing MFA and Conditional Access policies to achieve Global Admin compromise.
These recurring vulnerabilities underscore the need for enterprises to continuously audit their Entra ID configurations, monitor service principal permissions, and implement just-in-time privileged access management regardless of whether a specific CVE requires action.
Security teams should also review the April 2026 Patch Tuesday disclosures, where Microsoft addressed over 160 vulnerabilities, including CVE-2026-32201, a SharePoint Server spoofing zero-day that was actively exploited in the wild.
Identity and access management platforms remain among the most targeted attack surfaces across enterprise environments, and proactive threat modeling for Entra ID remains a critical security posture requirement.
| Attribute | Detail |
|---|---|
| CVE ID | CVE-2026-35431 |
| Affected Product | Microsoft Entra ID Entitlement Management |
| Vulnerability Type | Server-Side Request Forgery (SSRF) / Spoofing |
| CWE | CWE-918 |
| CVSS Base Score | 10.0 (Critical) |
| CVSS Temporal Score | 8.7 |
| Attack Vector | Network |
| Privileges Required | None |
| User Interaction | None |
| Patch Status | Fully Mitigated by Microsoft |
| Customer Action | Not Required |
| Disclosed | April 23, 2026 |
FAQ
Q1. What is CVE-2026-35431?
It is a critical SSRF-based spoofing vulnerability in Microsoft Entra ID Entitlement Management, with a CVSS score of 10.0, allowing unauthenticated remote attackers to spoof identities across the network.
Q2. Do organizations need to apply any patches for CVE-2026-35431?
No, Microsoft has fully mitigated this vulnerability at the cloud service level, requiring no action from end users or enterprise administrators.
Q3. Was CVE-2026-35431 actively exploited in the wild?
No active exploitation or public proof-of-concept exploit has been confirmed; the exploit code maturity is currently rated “Unproven” by Microsoft.
Q4. Who discovered and reported CVE-2026-35431?
The vulnerability was responsibly disclosed to Microsoft by security researcher Felix B., who is officially acknowledged in the Microsoft Security Response Center (MSRC) advisory.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
