{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26139", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2026-02-11T16:24:51.134Z", "datePublished": "2026-03-19T21:06:21.346Z", "dateUpdated": "2026-03-24T16:49:48.830Z"}, "containers": {"cna": {"title": "Microsoft Purview Elevation of Privilege Vulnerability", "datePublic": "2026-03-19T14:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:office_purview:*:*:*:*:*:*:*:*", "versionStartIncluding": "-"}]}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft Purview", "versions": [{"version": "-", "status": "affected"}]}], "descriptions": [{"value": "Server-side request forgery (ssrf) in Microsoft Purview allows an unauthorized attacker to elevate privileges over a network.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-918: Server-Side Request Forgery (SSRF)", "lang": "en-US", "type": "CWE", "cweId": "CWE-918"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-03-24T16:49:48.830Z"}, "references": [{"name": "Microsoft Purview Elevation of Privilege Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26139"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "HIGH", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:P/RL:O/RC:C"}}], "tags": ["exclusively-hosted-service"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-21T04:01:38.556011Z", "id": "CVE-2026-26139", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T13:04:17.177Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26139", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-21T04:01:38.556011Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-21T03:30:03.794Z"}}], "cna": {"tags": ["exclusively-hosted-service"], "title": "Microsoft Purview Elevation of Privilege Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 8.6, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:P/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft Purview", "versions": [{"status": "affected", "version": "-"}]}], "datePublic": "2026-03-19T14:00:00.000Z", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26139", "name": "Microsoft Purview Elevation of Privilege Vulnerability", "tags": ["vendor-advisory", "patch"]}], "descriptions": [{"lang": "en-US", "value": "Server-side request forgery (ssrf) in Microsoft Purview allows an unauthorized attacker to elevate privileges over a network."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:office_purview:*:*:*:*:*:*:*:*", "vulnerable": true, "versionStartIncluding": "-"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-03-24T16:49:48.830Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26139", "state": "PUBLISHED", "dateUpdated": "2026-03-24T16:49:48.830Z", "dateReserved": "2026-02-11T16:24:51.134Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2026-03-19T21:06:21.346Z", "assignerShortName": "microsoft"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:purview:-:*:*:*:*:*:*:*", "matchCriteriaId": "7387D350-6697-4865-BF5B-1D36F1B1A8DF", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "secure@microsoft.com", "tags": ["exclusively-hosted-service"]}], "descriptions": [{"lang": "en", "value": "Server-side request forgery (ssrf) in Microsoft Purview allows an unauthorized attacker to elevate privileges over a network."}, {"lang": "es", "value": "Falsificaci\u00f3n de petici\u00f3n del lado del servidor (SSRF) en Microsoft Purview permite a un atacante no autorizado elevar privilegios sobre una red."}], "id": "CVE-2026-26139", "lastModified": "2026-03-24T17:14:00.070", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "secure@microsoft.com", "type": "Primary"}]}, "published": "2026-03-19T21:17:08.377", "references": [{"source": "secure@microsoft.com", "tags": ["Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26139"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "secure@microsoft.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "office_purview", "vendor": "microsoft"}], "analysis": {"en": {"generated_at": "2026-03-19T22:24:58.938231+00:00", "value": {"mitigation_remediation": ["Check for and install the latest Microsoft update that addresses CVE-2026-26139.", "If a patch is not yet available, isolate the Purview service from external networks or restrict inbound traffic to only trusted hosts.", "Configure network segmentation or firewall rules to limit internal requests originating from the Purview application to necessary endpoints.", "Enable logging of Purview access and monitor for suspicious outbound request patterns associated with SSRF attempts."], "summary": {"action": "Apply Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The affected product is Microsoft Purview (Office Purview). No specific version information is supplied in the data; the cpe string for the product is provided.", "description_and_impact": "A server-side request forgery flaw in Microsoft Purview allows an unauthorized attacker to send crafted requests to internal resources through the Purview service. The vulnerability is mapped to the CWE-918 weakness for server-side request forgery and can enable the attacker to elevate privileges within the affected environment.", "risk_and_exploitability": "The CVSS score is 8.6, indicating high severity. The EPSS score is not available and the vulnerability has not been listed in CISA\u2019s KEV catalog. The likely attack vector involves an unauthenticated or minimally authenticated attacker accessing the Purview service over a network, exploiting the SSRF to reach internal resources and gain elevated privileges. The information necessary to confirm exploitation conditions is not detailed in the source; the assessment is based on the description of the SSRF flaw and its impact."}}}}, "created": "2026-03-20T08:56:02.093977+00:00", "updated": "2026-03-20T11:06:11.883428+00:00", "vendors": ["microsoft", "microsoft$PRODUCT$office_purview"]}