CVE-2026-21227
Published: 22 January 2026
Summary
CVE-2026-21227 is a high-severity Path Traversal (CWE-22) vulnerability in Microsoft Azure Logic Apps. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-21227, published on 2026-01-22, is an improper limitation of a pathname to a restricted directory vulnerability, classified as path traversal (CWE-22), affecting Azure Logic Apps. This flaw enables unauthorized privilege elevation and carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), indicating high severity due to network accessibility, low attack complexity, and no prerequisite privileges or user interaction.
An unauthorized attacker can exploit this vulnerability remotely over the network without authentication. Successful exploitation allows privilege elevation, resulting in high confidentiality impact through unauthorized access to sensitive data and low integrity impact, with no availability disruption.
The Microsoft Security Response Center advisory provides details on mitigation and patches at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21227.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4506
Vulnerability details
Improper limitation of a pathname to a restricted directory ('path traversal') in Azure Logic Apps allows an unauthorized attacker to elevate privileges over a network.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal vulnerability in public-facing Azure Logic Apps enables remote exploitation without authentication (T1190) leading to unauthorized privilege elevation (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly and comprehensively mitigates path traversal by requiring validation of pathname inputs to ensure they remain within restricted directories.
Enforces approved access authorizations to block unauthorized privilege elevation resulting from improper pathname limitations.
Implements a reference monitor to mediate and enforce access control policies on system resources, countering path traversal bypasses.