HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-57100Published Modified CNA microsoft

CVE-2026-57100: Microsoft Entra Provisioning Service Elevation of Privilege Vulnerability

Server-side request forgery (ssrf) in Microsoft Entra Provisioning Service (SyncFabric) allows an authorized attacker to elevate privileges over a network.

Metrics

CVSS v3.1
9.9
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A server-side request forgery (SSRF) vulnerability exists in Microsoft Entra Provisioning Service (SyncFabric). An attacker with a low-privilege account can reach the service over the network and, without any victim interaction, trick the server into issuing requests on their behalf to escalate privileges across scope boundaries. Successful exploitation grants full read, write, and availability impact on affected resources, including components outside the vulnerable service itself. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment Microsoft publishes a fix.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that incorporate affected versions of the Entra Provisioning Service components.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 9.9 (Critical) and weighting it against each environment's compliance policy to determine urgency and routing. Alerts are directed to the appropriate team inbox within each customer organization based on policy-defined ownership rules.

Available
Patch

Because no fix version has been published by Microsoft, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. Customers with auto-remediation enabled will receive a rebuild, a regression-test run, and a pull request opened against affected workloads as soon as a remediated base image becomes available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the SyncFabric service over the network; the CVSS vector specifies AV:N, meaning no local or physical access is needed but the service must be exposed to the attacker's network path.

  • AuthenticationRequired

    The attacker must hold a valid low-privilege account; the CVSS vector specifies PR:L, so any authenticated user, not just an admin, is sufficient to attempt exploitation.

  • Victim interactionNot required

    No victim action such as clicking a link or opening a file is needed; the CVSS vector specifies UI:N, meaning the attacker can trigger the SSRF entirely through their own requests.

  • Attack complexityDetail

    The CVSS vector specifies AC:L, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors that the attacker cannot control.

Blast Radius

  • A successful attacker causes the Entra Provisioning Service to issue arbitrary internal HTTP requests, potentially reaching internal APIs, metadata endpoints, or downstream identity infrastructure that are not directly exposed externally.
  • The attacker reads sensitive data accessible to the service identity, including credentials, tokens, or provisioning configuration stored in reachable internal systems (CVSS C:H).
  • The attacker modifies provisioning data or internal resource state, including user account attributes or group memberships managed by SyncFabric (CVSS I:H).
  • The attacker disrupts availability of the provisioning service or dependent systems it can reach, causing provisioning failures or service outages (CVSS A:H). The changed scope (S:C) means impact extends beyond the vulnerable component itself.

How HarborGuard Handles This

Available on HarborGuard: because Microsoft has not yet published a fix for this Critical-severity SSRF, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild the moment an upstream fix appears. For customers with auto-remediation enabled, that rebuild will be followed immediately by a regression-test run and a pull request opened against affected workloads, with no manual intervention required. In the interim, compensating controls available to HarborGuard-managed environments include network-policy isolation to restrict egress from containers running SyncFabric components, egress filtering rules that prevent the service from reaching internal metadata or credential endpoints, and feature-flag gating to disable affected provisioning flows where operationally possible. Where compliance policy permits, HarborGuard can flag any image containing affected Entra Provisioning Service components for immediate quarantine from production promotion until a fix is available.

See how HarborGuard automates this
Affected packages
  • Microsoft / Microsoft Entra Provisioning Service
    -
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C