Introduction
A Markdown injection flaw in Azure Machine Learning Notebooks allows an unauthenticated attacker to spoof content and exfiltrate sensitive information from the Azure ML web interface, simply by getting a user to open a crafted notebook. With a CVSS 3.1 base score of 8.2 and a Changed scope that extends the impact beyond the vulnerable component itself, CVE-2026-33833 presents a meaningful confidentiality risk to any organization running data science workloads on Azure ML.
Microsoft disclosed and patched this vulnerability on May 12, 2026, as part of a Patch Tuesday cycle that addressed 120 vulnerabilities with no zero days. While exploitation is currently assessed as unlikely, the absence of any workarounds or mitigations means patching is the only path forward.
Technical Information
Root Cause: CWE-74 Injection in Markdown Rendering
The vulnerability is classified under CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component. The core issue is that the Azure ML Notebook web interface did not properly sanitize user supplied content within Markdown cells before rendering it in the browser. An attacker could embed malicious styling or markup within a Markdown cell, and when another user opened or viewed that notebook, the crafted content would be rendered by the browser in the context of the Azure ML web application.
This is a classic output injection pattern: the notebook authoring component accepts arbitrary Markdown, but the rendering component (the Azure ML web UI) trusts that content without adequate neutralization. Because the rendering happens in the user's browser session within the Azure ML application context, the injected content can interact with or expose data visible in that session.
CVSS Vector Breakdown
The full CVSS 3.1 vector string is AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N/E:U/RL:O/RC:C.
| Metric | Value | Practical Implication |
|---|---|---|
| Attack Vector | Network | Exploitable remotely; no physical or local access needed |
| Attack Complexity | Low | No specialized conditions or race conditions required |
| Privileges Required | None | The attacker does not need any authentication to craft the payload |
| User Interaction | Required | A victim must open or view the malicious notebook |
| Scope | Changed | Impact extends beyond the vulnerable Markdown renderer to the broader Azure ML web session |
| Confidentiality | High | Sensitive information displayed in the Azure ML interface can be exposed |
| Integrity | Low | Some modification of displayed information is possible |
| Availability | None | No denial of service impact |
The Changed scope metric is particularly noteworthy. It indicates that the vulnerable component (the notebook Markdown renderer) and the impacted component (the Azure ML web interface session) are managed by different security authorities. This means the injection crosses a trust boundary, which is what elevates the base score.
Attack Flow
The exploitation path follows a straightforward sequence:
-
Notebook crafting: The attacker creates or imports an Azure ML notebook containing malicious styling or markup content within a Markdown cell. No authentication to the target environment is required at this stage; the attacker only needs to produce a notebook file with the injected payload.
-
Delivery: The attacker makes this notebook accessible to a target user. This could involve sharing it within a workspace, uploading it to a shared storage location, or distributing it through any channel where Azure ML users might import notebooks.
-
Trigger via rendering: When a legitimate user opens or views the notebook in the Azure ML web interface, the Markdown cell content is rendered without proper neutralization of the injected elements.
-
Information exposure: The injected content executes or renders in the context of the Azure ML web application. This allows the attacker to view sensitive information displayed within the interface. The High confidentiality impact and Low integrity impact suggest the attacker can read significant data and potentially alter some of what is displayed to the user.
Open Questions
Current advisories from Microsoft and the National Vulnerability Database do not specify exact affected version ranges or specific component builds beyond the patched version (build 1.7.6 of @azure-notebooks). Organizations should verify their environments regardless of assumed version.
Patch Information
Microsoft released an official fix on May 12, 2026, as part of the May 2026 Patch Tuesday cycle. The patch targets the Azure Machine Learning Notebook component, specifically hardening the output encoding and neutralization of special elements in notebook Markdown rendering to ensure that downstream components cannot be abused through injected content.
The patched version is delivered as build 1.7.6 of the @azure-notebooks component, packaged in the aznb-bundle.js bundle. The security update is distributed via Microsoft's CDN:
aznb-ame-prod.azureedge.net/component/1.7.6/aznb-bundle.js
While Azure Machine Learning is a cloud hosted service and many updates are applied server side, Microsoft has marked the Customer Action for this update as Required. This means affected users should verify their environment is running the updated component rather than assuming the fix has been automatically applied.
Key remediation details:
| Remediation Type | Availability | Notes |
|---|---|---|
| Official Fix | Available (build 1.7.6) | Complete vendor solution; CVSS remediation level is Official Fix (RL:O) |
| Mitigations | None | Microsoft identifies no mitigating factors |
| Workarounds | None | Microsoft identifies no workarounds |
The absence of any temporary controls makes this a straightforward patching decision. Microsoft rates the vulnerability as Exploitation Less Likely, so organizations can schedule the rollout in an orderly manner. However, the high confidentiality impact means it should not be deprioritized indefinitely.
Release notes for the @azure-notebooks package are hosted on Azure DevOps Artifacts but require authentication to access, so specific changelog entries are not publicly viewable.
Affected Systems and Versions
The affected product is Microsoft Azure Machine Learning, specifically the notebook rendering component. The patched build is 1.7.6 of the @azure-notebooks component. Any environment running a version prior to 1.7.6 should be considered potentially vulnerable.
Microsoft's advisory and the NVD entry do not enumerate specific affected version ranges or list particular Azure ML configurations that are more or less susceptible. Organizations using Azure ML notebooks in any capacity should verify they are running the updated component.
References
- Microsoft Security Update Guide: CVE-2026-33833
- NVD Entry: CVE-2026-33833
- Bleeping Computer: Microsoft Patch Tuesday May 2026 Report
- Zero Day Initiative: The May 2026 Security Update Review
- Bleeping Computer: Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero days
- Cyber Security News: 120 Vulnerabilities Fixed, Including 29 Critical RCE Flaws
- Microsoft Exploitability Index



