CVE-2026-42901

Published May 22, 2026

Last updated 21 days ago

CVSS critical 10.0

Overview

Description
Origin validation error in Microsoft Entra ID allows an unauthorized attacker to elevate privileges over a network.
Source
secure@microsoft.com
NVD status
Analyzed
CNA Tags
exclusively-hosted-service
Products
entra_id

Risk scores

CVSS 3.1

Type
Primary
Base score
10
Impact score
6
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

secure@microsoft.com
CWE-346

Social media

Hype score
Not currently trending

  1. 🚨 CRITICAL: CVE-2026-42901 - CVSS 10.0 Origin validation flaw in Microsoft Entra ID enables unauthenticated privilege escalation over network. No user interaction required. Patch immediately. #CVE #Vulnerability #PatchNow #ThreatIntel https://t.co/xmvMUUreYI

    @DFIR_Lab

    27 May 2026

    51 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Microsoft Fixes Critical Entra ID Privilege Flaw (CVE-2026-42901) https://t.co/w3ukHXIsyu #Cyberupdates #Cybertechnews #Cybersecurity

    @unknownmatter19

    24 May 2026

    5 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. Microsoft Fixes Critical Entra ID Privilege Flaw (CVE-2026-42901) https://t.co/ww0Av0mEAc #Cyberupdates #Cybertechnews #Cybersecurity

    @CyberInsights1

    24 May 2026

    4 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  4. Microsoft Fixes Critical Entra ID Privilege Flaw (CVE-2026-42901) https://t.co/rHU84q107D #Cyberupdates #Cybertechnews #Cybersecurity

    @TheCyberDef

    23 May 2026

    8 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. Critical vulns: Microsoft Exchange zero-day (CVE-2026-42897) allows mailbox compromise. AI-gen 2FA bypass & new Azure/Entra ID (CVE-2026-42901) flaws threaten data privacy/integrity. Patch DNS! #Cybersecurity #ZeroDay #News

    @YourAnon_irc

    23 May 2026

    83 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. The severity is increased for this new vulnerability affecting Microsoft Entra (CVE-2026-42901) https://t.co/14HjDDPLUp

    @vuldb

    23 May 2026

    58 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Authentication bypass using an alternate path or channel in Microsoft Azure Active Directory B2C allows an unauthorized attacker to elevate privileges over a network.β€’CVE-2026-33843
  2. Exposure of sensitive information to an unauthorized actor in Azure Entra ID allows an unauthorized attacker to perform spoofing over a network.β€’CVE-2026-40379
  3. Server-side request forgery (ssrf) in Microsoft Entra ID Entitlement Management allows an unauthorized attacker to perform spoofing over a network.β€’CVE-2026-35431
  4. Azure Entra ID Elevation of Privilege Vulnerabilityβ€’CVE-2026-24305
  5. Azure Entra ID Elevation of Privilege Vulnerabilityβ€’CVE-2025-59218

References

Sources include official advisories and independent security research.