{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35431", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2026-04-02T19:21:11.804Z", "datePublished": "2026-04-23T21:37:42.137Z", "dateUpdated": "2026-05-12T17:39:55.617Z"}, "containers": {"cna": {"title": "Microsoft Entra ID Entitlement Management Spoofing Vulnerability", "datePublic": "2026-04-23T14:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:microsoft_entra_id:*:*:*:*:*:*:*:*", "versionStartIncluding": "-"}]}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft Entra", "versions": [{"version": "-", "status": "affected"}]}], "descriptions": [{"value": "Server-side request forgery (ssrf) in Microsoft Entra ID Entitlement Management allows an unauthorized attacker to perform spoofing over a network.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-918: Server-Side Request Forgery (SSRF)", "lang": "en-US", "type": "CWE", "cweId": "CWE-918"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-05-12T17:39:55.617Z"}, "references": [{"name": "Microsoft Entra ID Entitlement Management Spoofing Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-35431"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "CRITICAL", "baseScore": 10, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C"}}], "tags": ["exclusively-hosted-service"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-24T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-35431"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-25T03:55:39.775Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35431", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-24T14:51:54.531519Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T14:55:09.684Z"}}], "cna": {"tags": ["exclusively-hosted-service"], "title": "Microsoft Entra ID Entitlement Management Spoofing Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 10, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft Entra", "versions": [{"status": "affected", "version": "-"}]}], "datePublic": "2026-04-23T14:00:00.000Z", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-35431", "name": "Microsoft Entra ID Entitlement Management Spoofing Vulnerability", "tags": ["vendor-advisory", "patch"]}], "descriptions": [{"lang": "en-US", "value": "Server-side request forgery (ssrf) in Microsoft Entra ID Entitlement Management allows an unauthorized attacker to perform spoofing over a network."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:microsoft_entra_id:*:*:*:*:*:*:*:*", "vulnerable": true, "versionStartIncluding": "-"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-05-11T16:06:56.280Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35431", "state": "PUBLISHED", "dateUpdated": "2026-05-11T16:06:56.280Z", "dateReserved": "2026-04-02T19:21:11.804Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2026-04-23T21:37:42.137Z", "assignerShortName": "microsoft"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:entra_id:-:*:*:*:*:*:*:*", "matchCriteriaId": "D09E509F-AFF3-4991-877A-D197388E7AD4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "secure@microsoft.com", "tags": ["exclusively-hosted-service"]}], "descriptions": [{"lang": "en", "value": "Server-side request forgery (ssrf) in Microsoft Entra ID Entitlement Management allows an unauthorized attacker to perform spoofing over a network."}], "id": "CVE-2026-35431", "lastModified": "2026-04-28T12:10:53.103", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "secure@microsoft.com", "type": "Primary"}]}, "published": "2026-04-23T22:16:38.510", "references": [{"source": "secure@microsoft.com", "tags": ["Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-35431"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "secure@microsoft.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "enrichment": {"confidence": 91.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 91.0, "source": "matching"}]}, "original": {"product": "Microsoft Entra", "source": "cna", "vendor": "Microsoft"}, "product": "entra_id", "vendor": "microsoft"}], "analysis": {"en": {"generated_at": "2026-04-28T20:28:36.747758+00:00", "value": {"mitigation_remediation": ["Apply the latest Microsoft Entra ID security update as published by Microsoft.", "Restrict access to the Entitlement Management API by allowing only trusted IP ranges or internal networks through firewall or network segmentation.", "Disable or tightly restrict outbound connections from Entra ID servers to unknown destinations, using firewall rules or web application firewall policies to block unsolicited requests.", "Monitor outbound network traffic from Entra ID for unexpected or suspicious connections and log all outbound requests for auditing."], "summary": {"action": "Immediate Patch", "impact": "Server\u2011side request forgery (SSRF) leading to network spoofing"}, "threat_synthesis": {"affected_systems": "Microsoft Entra ID, specifically the Entitlement Management component. Because the advisory does not list particular build numbers or patch releases, all deployments using Entra ID are potentially impacted until Microsoft issues a fix. Administrators should verify the version they are operating but note that version specifics were not disclosed.", "description_and_impact": "Microsoft Entra ID Entitlement Management contains a server\u2011side request forgery flaw that permits an unauthorized attacker to direct the service to send requests to arbitrary internal endpoints. Based on the description, it is inferred that this could be used to spoof network traffic, causing the Entra ID server to invoke services or endpoints within the internal network without user interaction. The vulnerability is limited to the Entitlement Management functionality and requires no authentication to exploit.", "risk_and_exploitability": "The CVSS score of 10.0 marks this as a critical vulnerability that can be exploited by an unauthorized attacker. The EPSS score of less than 1% indicates a low current exploitation probability, and it is not catalogued in CISA\u2019s KEV list. Attackers can exploit the flaw by sending a crafted request to the Entitlement Management API, causing the Entra service to connect to arbitrary URLs on the internal network. No user interaction or authentication is required to bring the vulnerability to fruition."}}}}, "created": "2026-04-28T08:45:26.976747+00:00", "updated": "2026-04-28T20:30:06.195450+00:00", "vendors": ["microsoft", "microsoft$PRODUCT$entra_id"]}