PatchSiren cyber security CVE debrief
CVE-2026-41104 Microsoft CVE debrief
A critical deserialization vulnerability in Microsoft Planetary Computer Pro enables unauthenticated remote attackers to disclose sensitive information over a network. The flaw stems from improper handling of untrusted data during deserialization (CWE-502), with a CVSS 3.1 score of 10.0 indicating maximum severity due to network attack vector, low complexity, no privileges required, and no user interaction needed. The vulnerability carries scope-changing impact with high confidentiality, integrity, and availability consequences. Microsoft has acknowledged this issue through their Security Response Center. The CVE was published on May 22, 2026 and last modified on May 26, 2026, with NVD status currently 'Undergoing Analysis'. No known exploitation in ransomware campaigns has been documented, and the vulnerability has not been added to CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- Microsoft
- Product
- Microsoft Planetary Computer Pro (GeoCatalog)
- CVSS
- CRITICAL 10
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-22
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-22
- Advisory updated
- 2026-05-29
Who should care
Organizations operating Microsoft Planetary Computer Pro instances, particularly those exposed to network-accessible interfaces. Data science and geospatial analytics teams using Microsoft's planetary computing platform. Security teams responsible for cloud-based scientific computing infrastructure. Organizations processing sensitive geospatial or environmental data through Planetary Computer Pro services.
Technical summary
The vulnerability exists in Microsoft Planetary Computer Pro's handling of deserialized data from untrusted sources. Attackers can exploit this flaw remotely without authentication to achieve information disclosure. The CVSS 3.1 vector indicates network accessibility, low attack complexity, no privilege requirements, and scope-changing impact with high ratings across confidentiality, integrity, and availability. The underlying weakness is CWE-502 (Deserialization of Untrusted Data), a common class of vulnerabilities where applications deserialize attacker-controlled data without proper validation, potentially leading to arbitrary code execution or information disclosure depending on available gadget chains in the application environment.
Defensive priority
critical
Recommended defensive actions
- Apply security updates from Microsoft as soon as available per MSRC guidance
- Review Microsoft Planetary Computer Pro deployments for exposure to untrusted network input
- Implement network segmentation to limit exposure of Planetary Computer Pro instances
- Monitor Microsoft Security Response Center for patch availability and updated guidance
- Audit deserialization implementations in custom code interacting with Planetary Computer Pro
- Enable comprehensive logging for deserialization operations to detect anomalous activity
Evidence notes
CVSS 3.1 vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. CWE-502 (Deserialization of Untrusted Data) identified as primary weakness. NVD status: Undergoing Analysis.
Official resources
-
CVE-2026-41104 CVE record
CVE.org
-
CVE-2026-41104 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
Microsoft acknowledged this vulnerability through MSRC. No public exploitation details or proof-of-concept code has been released.