Cyber Resilience

CVE-2026-21229

High

Published: 10 February 2026

Published
10 February 2026
Modified
11 February 2026
KEV Added
Patch
CVSS Score v3.1 8.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0090 55.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-21229 is a high-severity Improper Input Validation (CWE-20) vulnerability in Microsoft Power Bi Report Server. Its CVSS base score is 8.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 44.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-21229 is an improper input validation vulnerability (CWE-20) in Power BI. Published on 2026-02-10T18:16:23.453, it carries a CVSS v3.1 base score of 8.0 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

The vulnerability enables an authorized attacker with low privileges to execute arbitrary code over a network. Exploitation requires low attack complexity but user interaction, allowing the attacker to achieve high confidentiality, integrity, and availability impacts on the affected system.

Microsoft's advisory provides details on mitigation; see https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21229 for patches and guidance.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Improper input validation in Power BI allows an authorized attacker to execute code over a network.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Improper input validation enables remote arbitrary code execution in Power BI (network-accessible, low-priv attacker, user interaction), directly facilitating T1190 (public-facing app exploitation) and T1203 (client application exploitation for code exec).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-40411Same vendor: Microsoft
CVE-2026-26106Same vendor: Microsoft
CVE-2026-20856Same vendor: Microsoft
CVE-2025-21344Same vendor: Microsoft
CVE-2026-32201Same vendor: Microsoft
CVE-2025-59228Same vendor: Microsoft
CVE-2026-26154Same vendor: Microsoft
CVE-2026-33844Same vendor: Microsoft
CVE-2026-20951Same vendor: Microsoft
CVE-2025-21273Same vendor: Microsoft

Affected Assets

microsoft
power bi report server
≤ 15.0.1120.113

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires systems to perform validation of all inputs to prevent exploitation of improper input validation vulnerabilities like CVE-2026-21229.

prevent

Mandates timely identification, reporting, and remediation of flaws such as this Power BI input validation vulnerability through patching.

prevent

Restricts the types and quantities of information inputs to reduce the attack surface for network-based input validation exploits.

References