HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-45499Published Modified CNA microsoft

CVE-2026-45499: Azure OpenAI Elevation of Privilege Vulnerability

Server-side request forgery (ssrf) in Azure OpenAI allows an authorized attacker to elevate privileges over a network.

Metrics

CVSS v3.1
9.9
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A server-side request forgery (SSRF) vulnerability exists in Azure OpenAI that allows an attacker with any valid account to make the service issue unauthorized requests on their behalf, effectively pivoting to internal resources. The vulnerability is reachable over the network and requires only low-privilege credentials, with no victim interaction needed. Successful exploitation grants full control over confidentiality, integrity, and availability in a scope that extends beyond the directly vulnerable component. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment Microsoft publishes a fix.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built ones that bundle Azure OpenAI dependencies. Any image containing an affected version is flagged immediately in the pipeline scan results.

Available
Triage

HarborGuard scores this finding at CVSS 9.9 Critical and surfaces it with the highest priority routing available, weighted against each environment's configured compliance policy. Triage alerts are routed to the inbox or channel designated by each customer organization for critical-severity findings.

Available
Patch

No fix version has been published by Microsoft for this vulnerability. HarborGuard re-checks the upstream advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released, with auto-remediation customers receiving a rebuilt image, a regression-test run, and a PR opened against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Azure OpenAI service endpoint over the network; the attack vector is fully remote with no physical or local access required.

  • AuthenticationRequired

    The attacker must hold at least one low-privilege account; any valid credential is sufficient, but unauthenticated access alone is not enough.

  • Victim interactionNot required

    No user action, click, or social-engineering step is needed; the attacker can trigger the vulnerability entirely on their own.

  • Attack complexityDetail

    Exploit conditions are straightforward and reliable with no race conditions, special memory layouts, or environmental prerequisites required.

Blast Radius

  • Reads internal service responses and metadata that the Azure OpenAI endpoint can reach, including resources that would otherwise be inaccessible to the attacker's account.
  • Modifies data or configuration in backend systems reachable via the forged server-side requests, extending write impact beyond the attacker's normal privilege boundary.
  • Disrupts availability of internal services targeted by the SSRF chain, crashing or exhausting resources in components that were never intended to accept external input.
  • The Changed scope means impact extends to systems and tenants outside the directly vulnerable Azure OpenAI component, amplifying the blast radius beyond a single service boundary.

How HarborGuard Handles This

Available on HarborGuard: because Microsoft has not yet published a fix, HarborGuard monitors the upstream advisory on every ingest cycle and will automatically surface a patched-image rebuild the moment a fix version is released. For customers with auto-remediation enabled, that rebuild will immediately trigger a regression-test run and a PR opened against affected workloads. While no patch is available, recommended compensating controls include applying strict network-policy isolation to any workload that communicates with Azure OpenAI endpoints, enforcing egress filtering to prevent unauthorized outbound requests from containers, and disabling or gating any application features that pass user-controlled URLs to the Azure OpenAI API. Customers should also review service-account permissions to ensure the minimum privilege level is enforced, reducing the likelihood that a low-privilege SSRF pivot reaches sensitive internal resources.

See how HarborGuard automates this
Affected packages
  • Microsoft / Azure Open AI
    -
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C