CVE-2026-35431

Daily digests

An attacker can hit Microsoft Entra ID Entitlement Management with a server-side request forgery (SSRF) over the network, no authentication required. SSRF means the attacker tricks the server into making requests on their behalf, potentially reaching internal services or spoofing identity data. CVSS 10.0, so Microsoft is rating this as bad as it gets, though no exploitation in the wild has been reported yet.

• Daily Digest · Apr 24, 2026

  Entra ID SSRF scores perfect 10, Bing RCE too