Summary
| Parameter | Value |
|---|---|
| CVE ID | CVE-2026-35431 |
| Alert Source | GitHub Advisory - Critical Vulnerability |
| CVE Publication Year | 2026 |
| Date Published | 2026-04-24 |
| Vendor | Microsoft |
| Product | Entra ID Entitlement Management |
| CVSS Score | 10.0 (critical) |
| EPSS Score | No data |
| CISA KEV | No |
| Ransomware | Not confirmed |
Vulnerability Description
Server-side request forgery (SSRF) in Microsoft Entra ID Entitlement Management allows an unauthorized attacker to perform spoofing over a network. By exploiting this issue, an attacker can coerce the Entitlement Management service into issuing HTTP requests to internal resources while impersonating an Entra ID component, potentially escalating identity-related access in the tenant.
Required Actions
Microsoft remediates cloud-service vulnerabilities on the server side, so most tenants do not need to apply a manual update. Review the Microsoft Security Response Center advisory, audit Entra ID logs for unusual Entitlement Management activity, and review permissions of application accounts with access to this service.
Who Is Affected?
This vulnerability affects Entra ID Entitlement Management by Microsoft. Check whether your organization uses Entitlement Management (lifecycle access management) in Entra ID and review logs for suspicious activity.
Sources
Need help securing your systems? nFlo team offers vulnerability management and 24/7 SOC services. Contact us.
