Summary

Microsoft patched a critical SSRF vulnerability (CVE-2026-35431) in Entra ID Entitlement Management with a CVSS score of 10.0 that allowed unauthenticated spoofing and internal network access. The flaw was fixed server-side, requiring no action from users to secure their environments.

Take Action:

No action is needed on your part, Microsoft already fixed this vulnerability on their cloud servers on April 23, 2026. As a good practice, review your Entra ID sign-in and audit logs for any unusual activity from before that date, and ensure multi-factor authentication is enforced for all admin accounts.

Read the full article on BeyondMachines

This article was originally published on BeyondMachines