ZeroPath at Black Hat USA 2026

Brief Summary: Azure Machine Learning Notebook Spoofing via Markdown Injection (CVE-2026-33833)

A short review of CVE-2026-33833, an injection flaw in Azure Machine Learning Notebook Markdown rendering that enables spoofing with high confidentiality impact. Includes technical details, CVSS breakdown, and patch information for build 1.7.6.

CVE Analysis

6 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-12

Brief Summary: Azure Machine Learning Notebook Spoofing via Markdown Injection (CVE-2026-33833)
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A Markdown injection flaw in Azure Machine Learning Notebooks allows an unauthenticated attacker to spoof content and exfiltrate sensitive information from the Azure ML web interface, simply by getting a user to open a crafted notebook. With a CVSS 3.1 base score of 8.2 and a Changed scope that extends the impact beyond the vulnerable component itself, CVE-2026-33833 presents a meaningful confidentiality risk to any organization running data science workloads on Azure ML.

Microsoft disclosed and patched this vulnerability on May 12, 2026, as part of a Patch Tuesday cycle that addressed 120 vulnerabilities with no zero days. While exploitation is currently assessed as unlikely, the absence of any workarounds or mitigations means patching is the only path forward.

Technical Information

Root Cause: CWE-74 Injection in Markdown Rendering

The vulnerability is classified under CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component. The core issue is that the Azure ML Notebook web interface did not properly sanitize user supplied content within Markdown cells before rendering it in the browser. An attacker could embed malicious styling or markup within a Markdown cell, and when another user opened or viewed that notebook, the crafted content would be rendered by the browser in the context of the Azure ML web application.

This is a classic output injection pattern: the notebook authoring component accepts arbitrary Markdown, but the rendering component (the Azure ML web UI) trusts that content without adequate neutralization. Because the rendering happens in the user's browser session within the Azure ML application context, the injected content can interact with or expose data visible in that session.

CVSS Vector Breakdown

The full CVSS 3.1 vector string is AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N/E:U/RL:O/RC:C.

MetricValuePractical Implication
Attack VectorNetworkExploitable remotely; no physical or local access needed
Attack ComplexityLowNo specialized conditions or race conditions required
Privileges RequiredNoneThe attacker does not need any authentication to craft the payload
User InteractionRequiredA victim must open or view the malicious notebook
ScopeChangedImpact extends beyond the vulnerable Markdown renderer to the broader Azure ML web session
ConfidentialityHighSensitive information displayed in the Azure ML interface can be exposed
IntegrityLowSome modification of displayed information is possible
AvailabilityNoneNo denial of service impact

The Changed scope metric is particularly noteworthy. It indicates that the vulnerable component (the notebook Markdown renderer) and the impacted component (the Azure ML web interface session) are managed by different security authorities. This means the injection crosses a trust boundary, which is what elevates the base score.

Attack Flow

The exploitation path follows a straightforward sequence:

  1. Notebook crafting: The attacker creates or imports an Azure ML notebook containing malicious styling or markup content within a Markdown cell. No authentication to the target environment is required at this stage; the attacker only needs to produce a notebook file with the injected payload.

  2. Delivery: The attacker makes this notebook accessible to a target user. This could involve sharing it within a workspace, uploading it to a shared storage location, or distributing it through any channel where Azure ML users might import notebooks.

  3. Trigger via rendering: When a legitimate user opens or views the notebook in the Azure ML web interface, the Markdown cell content is rendered without proper neutralization of the injected elements.

  4. Information exposure: The injected content executes or renders in the context of the Azure ML web application. This allows the attacker to view sensitive information displayed within the interface. The High confidentiality impact and Low integrity impact suggest the attacker can read significant data and potentially alter some of what is displayed to the user.

Open Questions

Current advisories from Microsoft and the National Vulnerability Database do not specify exact affected version ranges or specific component builds beyond the patched version (build 1.7.6 of @azure-notebooks). Organizations should verify their environments regardless of assumed version.

Patch Information

Microsoft released an official fix on May 12, 2026, as part of the May 2026 Patch Tuesday cycle. The patch targets the Azure Machine Learning Notebook component, specifically hardening the output encoding and neutralization of special elements in notebook Markdown rendering to ensure that downstream components cannot be abused through injected content.

The patched version is delivered as build 1.7.6 of the @azure-notebooks component, packaged in the aznb-bundle.js bundle. The security update is distributed via Microsoft's CDN:

aznb-ame-prod.azureedge.net/component/1.7.6/aznb-bundle.js

While Azure Machine Learning is a cloud hosted service and many updates are applied server side, Microsoft has marked the Customer Action for this update as Required. This means affected users should verify their environment is running the updated component rather than assuming the fix has been automatically applied.

Key remediation details:

Remediation TypeAvailabilityNotes
Official FixAvailable (build 1.7.6)Complete vendor solution; CVSS remediation level is Official Fix (RL:O)
MitigationsNoneMicrosoft identifies no mitigating factors
WorkaroundsNoneMicrosoft identifies no workarounds

The absence of any temporary controls makes this a straightforward patching decision. Microsoft rates the vulnerability as Exploitation Less Likely, so organizations can schedule the rollout in an orderly manner. However, the high confidentiality impact means it should not be deprioritized indefinitely.

Release notes for the @azure-notebooks package are hosted on Azure DevOps Artifacts but require authentication to access, so specific changelog entries are not publicly viewable.

Affected Systems and Versions

The affected product is Microsoft Azure Machine Learning, specifically the notebook rendering component. The patched build is 1.7.6 of the @azure-notebooks component. Any environment running a version prior to 1.7.6 should be considered potentially vulnerable.

Microsoft's advisory and the NVD entry do not enumerate specific affected version ranges or list particular Azure ML configurations that are more or less susceptible. Organizations using Azure ML notebooks in any capacity should verify they are running the updated component.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization