CVE-2026-57100
critical
CVSS v3
9.9
CVSS v4 NEW
โ
VIR risk
9.9
Description
Server-side request forgery (ssrf) in Microsoft Entra Provisioning Service (SyncFabric) allows an authorized attacker to elevate privileges over a network.
Predictions
Exploit likelihood
98%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
Source: Microsoft Security Response Center ยท View original โ ยท proprietary-no-redistribution
Full prose not cached โ VIR stores only structured fields (affected/fixed versions, references) for this source. Click "View original" above for the vendor's full advisory.
Affected
| Vendor | Product | Version |
|---|---|---|
| microsoft | Microsoft Exchange Online | |
| microsoft | Azure Synapse | |
| microsoft | Azure Open AI | |
| microsoft | Microsoft 365 Copilot | |
| microsoft | azl3 kernel 6.6.139.1-1 on Azure Linux 3.0 | |
| microsoft | azl3 kernel 6.6.143.1-1 on Azure Linux 3.0 | |
| microsoft | Microsoft Entra Provisioning Service | |
| microsoft | azl3 runc 1.3.3-2 on Azure Linux 3.0 | |
OS impact
Windows Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Affected | โ |
References
CWEs
CWE-918
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.