PatchSiren cyber security CVE debrief
CVE-2026-42901 Microsoft CVE debrief
A critical origin validation vulnerability in Microsoft Entra ID permits unauthenticated network-based attackers to escalate privileges. The flaw, rooted in CWE-346 (Origin Validation Error), carries a CVSS 3.1 score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating maximum severity with network exploitability, no privileges required, and high impact across confidentiality, integrity, and availability with scope change. Microsoft published guidance on May 22, 2026, with subsequent modification on May 26, 2026. The vulnerability remains under active analysis per NVD status. No known exploitation in ransomware campaigns has been confirmed, and the issue has not been added to CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- Microsoft
- Product
- Microsoft Entra
- CVSS
- CRITICAL 10
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-22
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-22
- Advisory updated
- 2026-05-27
Who should care
Organizations utilizing Microsoft Entra ID for identity and access management, particularly those with hybrid or cloud-only Azure AD deployments. Security teams responsible for identity infrastructure, authentication systems, and privileged access management. Compliance officers tracking critical vulnerability response timelines. Managed service providers and cloud security architects designing zero-trust architectures dependent on Entra ID as an identity provider.
Technical summary
The vulnerability stems from insufficient origin validation in Microsoft Entra ID, Microsoft's cloud-based identity and access management service. Origin validation errors (CWE-346) typically occur when systems fail to properly verify the source of requests, allowing attackers to forge or manipulate cross-origin communications. In identity infrastructure contexts, such flaws can enable attackers to bypass authentication boundaries, hijack sessions, or escalate privileges without valid credentials. The network attack vector (AV:N) and lack of required privileges (PR:N) indicate this vulnerability is remotely exploitable by unauthenticated attackers. Scope change (S:C) suggests the vulnerability may allow crossing security boundaries between components or tenants.
Defensive priority
critical
Recommended defensive actions
- Monitor Microsoft Security Response Center for security update release and deployment guidance
- Review Entra ID authentication and authorization configurations for origin validation controls
- Apply security updates immediately upon availability given critical CVSS score and network attack vector
- Audit privileged access assignments in Entra ID environments to reduce blast radius
- Enable comprehensive logging for Entra ID sign-in and audit events to detect anomalous privilege escalation attempts
Evidence notes
Official sources confirm Microsoft as the affected vendor through the MSRC reference. The vulnerability classification as CWE-346 (Origin Validation Error) originates from Microsoft's primary submission. CVSS vector and scoring derive from NVD analysis of Microsoft-provided data. Vendor identification carries low confidence due to automated parsing from reference domain candidates; manual verification recommended.
Official resources
-
CVE-2026-42901 CVE record
CVE.org
-
CVE-2026-42901 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
Microsoft disclosed this vulnerability through its Security Response Center on May 22, 2026. The NVD record was subsequently modified on May 26, 2026, reflecting ongoing analysis. No public exploitation reports or ransomware campaign affili