{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32169", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2026-03-10T23:09:43.266Z", "datePublished": "2026-03-19T21:06:20.642Z", "dateUpdated": "2026-03-19T21:21:06.705Z"}, "containers": {"cna": {"title": "Azure Cloud Shell Elevation of Privilege Vulnerability", "datePublic": "2026-03-19T14:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:azure_cloud_shell:*:*:*:*:*:*:*:*", "versionStartIncluding": "-"}]}]}], "affected": [{"vendor": "Microsoft", "product": "Azure Cloud Shell", "versions": [{"version": "-", "status": "affected"}]}], "descriptions": [{"value": "Server-side request forgery (ssrf) in Azure Cloud Shell allows an unauthorized attacker to elevate privileges over a network.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-918: Server-Side Request Forgery (SSRF)", "lang": "en-US", "type": "CWE", "cweId": "CWE-918"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-03-19T21:21:06.705Z"}, "references": [{"name": "Azure Cloud Shell Elevation of Privilege Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32169"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "CRITICAL", "baseScore": 10, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C"}}], "tags": ["exclusively-hosted-service"]}}}

{}

{"cveTags": [{"sourceIdentifier": "secure@microsoft.com", "tags": ["exclusively-hosted-service"]}], "descriptions": [{"lang": "en", "value": "Server-side request forgery (ssrf) in Azure Cloud Shell allows an unauthorized attacker to elevate privileges over a network."}], "id": "CVE-2026-32169", "lastModified": "2026-03-19T21:17:10.233", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "secure@microsoft.com", "type": "Primary"}]}, "published": "2026-03-19T21:17:10.233", "references": [{"source": "secure@microsoft.com", "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32169"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "secure@microsoft.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Azure Cloud Shell", "source": "cna", "vendor": "Microsoft"}, "product": "azure_cloud_shell", "vendor": "microsoft"}], "analysis": {"en": {"generated_at": "2026-03-19T22:25:10.934769+00:00", "value": {"mitigation_remediation": ["Check Microsoft\u2019s Azure Cloud Shell update guide for any available patches or updates and apply them as soon as possible. If no patch is available, monitor Azure Cloud Shell activity logs for unusual outbound network requests and consider implementing network segmentation or firewall rules to restrict internal service access from the cloud shell environment."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "Affected systems are Microsoft Azure Cloud Shell. No specific version information is provided in the CVE data; all variants of the product are potentially impacted.", "description_and_impact": "The vulnerability is a Server\u2011Side Request Forgery (CWE\u2011918) in Azure Cloud Shell that allows an unprivileged or unauthorized attacker to send crafted requests to internal or external services, resulting in elevation of privileges over the network. By exploiting the SSRF flaw, an attacker could access resources that are normally restricted, potentially compromising confidentiality, integrity, or availability of data or services exposed through Azure Cloud Shell.", "risk_and_exploitability": "The CVSS score of 10 indicates a critical severity level. The EPSS score is not available, and the vulnerability is not listed under CISA\u2019s KEV catalog. The likely attack vector is via a network request originating from an Azure Cloud Shell session, inferring that an attacker with access to initiate Azure Shell sessions can trigger the SSRF. Exploitation would involve the attacker constructing malicious requests that the Shell forwards to internal services, thereby achieving privilege escalation within the Azure environment."}}}}, "created": "2026-03-20T08:56:03.012647+00:00", "updated": "2026-03-20T11:06:12.713848+00:00", "vendors": ["microsoft", "microsoft$PRODUCT$azure_cloud_shell"]}