Summary
| Parameter | Value |
|---|---|
| CVE ID | CVE-2026-24303 |
| Alert Source | GitHub Advisory - Critical Vulnerability |
| CVE Publication Year | 2026 |
| Date Published | 2026-04-24 |
| Vendor | Microsoft |
| Product | Partner Center |
| CVSS Score | 9.6 (critical) |
| EPSS Score | No data |
| CISA KEV | No |
| Ransomware | Not confirmed |
Vulnerability Description
Improper access control in Microsoft Partner Center allows an authorized attacker to elevate privileges over a network. Exploiting the issue lets an attacker bypass the intended permission boundaries and perform actions reserved for higher-privileged roles in the partner portal, which may result in unauthorized modification of customer data or partner configuration.
Required Actions
Microsoft remediates cloud-service vulnerabilities on the server side, so most partners do not need to take manual action. Review the Microsoft Security Response Center advisory, audit sign-in history for Partner Center, review role assignments, and enforce MFA on all accounts with administrative access.
Who Is Affected?
This vulnerability affects Partner Center by Microsoft. Check whether your organization uses the Microsoft Partner Center portal and review audit logs for suspicious activity around the disclosure window.
Sources
Need help securing your systems? nFlo team offers vulnerability management and 24/7 SOC services. Contact us.
