CVE-2026-48567

critical

Published 2026-06-04 · Modified 2026-06-04

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

10.0

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H/E:U/RL:O/RC:C

CVSS v4 NEW

—

not yet in upstream

VIR risk

10.0

Description

Authentication bypass by spoofing in Azure HorizonDB allows an unauthorized attacker to elevate privileges over a network.

Predictions

Exploit likelihood

98%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Microsoft Security Response Center · View original ↗ · proprietary-no-redistribution

Full prose not cached — VIR stores only structured fields (affected/fixed versions, references) for this source. Click "View original" above for the vendor's full advisory.

Affected

Vendor	Product	Version
microsoft	Microsoft Exchange Online
microsoft	Microsoft 365 Copilot
microsoft	Copilot Chat (Microsoft Edge)
microsoft	azl3 kernel 6.6.139.1-1 on Azure Linux 3.0
microsoft	Azure HorizonDB
microsoft	Microsoft Graph
microsoft	azl3 python-pip 24.2-8 on Azure Linux 3.0
microsoft	azl3 freeipmi 1.6.17-1 on Azure Linux 3.0

OS impact

Windows Affected 1 release

Version	Status	Fixed in
—	Affected	—

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-48567

CWEs

CWE-290

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.