Introduction
A maximum severity SSRF vulnerability in Microsoft Entra ID Entitlement Management just earned a CVSS 10.0 score, yet the most notable aspect of this disclosure may be that customers do not need to do anything about it. Microsoft has already remediated CVE-2026-35431 entirely on the server side, publishing the CVE purely for transparency, a practice that reflects an evolving approach to cloud service vulnerability disclosure.
Technical Information
Root Cause: Server Side Request Forgery (CWE-918)
CVE-2026-35431 is a Server-Side Request Forgery vulnerability, classified under CWE-918. The flaw resides in Microsoft Entra ID Entitlement Management, an identity governance feature that enables organizations to manage identity and access lifecycles at scale. Entitlement Management uses "access packages" to bundle resources such as Microsoft Entra security groups, Microsoft 365 Groups, Teams, and SharePoint Online sites, making it a central component in many organizations' access governance workflows.
The SSRF vulnerability allows an unauthorized attacker to perform spoofing over a network. In practical terms, this means the vulnerable server side component could be induced to make requests to unintended destinations, potentially allowing an attacker to interact with internal services, exfiltrate data, or manipulate the integrity of responses.
CVSS 3.1 Metric Breakdown
The CVSS 3.1 vector assigned by Microsoft (as the CNA) paints a worst case picture:
| Metric | Value | Operational Implication |
|---|---|---|
| Base Score | 10.0 (Critical) | Maximum severity rating |
| Attack Vector (AV) | Network (N) | Exploitable remotely over the internet |
| Attack Complexity (AC) | Low (L) | No specialized access conditions required |
| Privileges Required (PR) | None (N) | No prior authentication needed |
| User Interaction (UI) | None (N) | Exploitable without any user participation |
| Scope (S) | Changed (C) | Impacts resources beyond the vulnerable component |
| Confidentiality (C) | High (H) | Total loss of confidentiality for impacted resources |
| Integrity (I) | High (H) | Total loss of integrity or complete loss of protection |
| Availability (A) | High (H) | Total loss of availability for the impacted component |
The "Changed" scope designation is particularly significant. It indicates that a successful exploit could affect resources beyond the security boundary of the vulnerable Entitlement Management component itself. For a cloud hosted identity governance service, this could theoretically mean lateral movement into adjacent infrastructure or tenant resources, though the exact boundaries of the scope change are not detailed in the advisory.
What We Do Not Know
Specific exploit payloads, proof of concept code, and the exact tenant side conditions that trigger the SSRF are not publicly detailed in any available advisory. The National Vulnerability Database (NVD) has published the CVE but has not yet provided its own independent assessment. The absence of technical specifics is consistent with Microsoft's approach to cloud service CVEs: because the fix is already deployed, detailed exploitation information serves little defensive purpose and could enable attacks against other, similar services.
Patch Information
Microsoft has confirmed that CVE-2026-35431 is fully patched. Released on April 23, 2026, this fix addresses the critical SSRF vulnerability in Microsoft Entra ID Entitlement Management.
What makes this patch noteworthy is its deployment model. Because Entra ID Entitlement Management is an exclusively cloud hosted service, Microsoft applied the remediation entirely on the server side. This means no customer action is required. There is no downloadable update, no KB article, and no manual configuration change that administrators need to perform. The fix was rolled out transparently as part of Microsoft's internal cloud infrastructure update process.
The MSRC advisory explicitly states: "This vulnerability has already been fully mitigated by Microsoft. There is no action for users of this service to take." The purpose of publishing the CVE, as Microsoft explains, is solely for transparency. This practice aligns with Microsoft's broader initiative, documented in their Toward greater transparency: Unveiling Cloud Service CVEs blog, to publicly disclose vulnerabilities in cloud services even when no customer remediation step is necessary.
The CVSS temporal vector confirms the fix with a Remediation Level of O (Official Fix), indicating a complete vendor solution is in place. Despite the base CVSS 3.1 score of 10.0, the temporal score adjusts down to 8.7 because the official fix is deployed and no public exploit code currently exists (E:U, Exploit Code Maturity: Unproven).
The Security Updates table on the MSRC page lists a single entry for Microsoft Entra ID with Customer Action Required: Not Required, reinforcing that the remediation is complete and entirely Microsoft managed.
Posture Improvements Worth Considering
While no specific remediation action is needed for this CVE, organizations should use this disclosure as an opportunity to review their entitlement management configurations. Specifically, ensure that policies governing access packages enforce appropriate multi stage approvals and time limited assignments to prevent identities from retaining access indefinitely.
Affected Systems and Versions
The vulnerability affects Microsoft Entra ID Entitlement Management, a cloud hosted identity governance service. Because this is a fully managed cloud service, there are no specific software version numbers, on premises builds, or downloadable components to enumerate. All instances of the service were affected and have been remediated by Microsoft on the server side.
