CVE-2026-26143

High

Published: 14 April 2026

Published

14 April 2026

Modified

27 April 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0011 28.2th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26143 is a high-severity Improper Input Validation (CWE-20) vulnerability in Microsoft Powershell. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique PowerShell (T1059.001); ranked at the 28.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to PowerShell (T1059.001). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly addresses the improper input validation (CWE-20) vulnerability by requiring validation mechanisms at PowerShell input points to prevent bypass of security features.

SI-2 Flaw Remediation good match

prevent

Ensures timely identification, reporting, and patching of the specific PowerShell flaw referenced in the MSRC update guide, preventing exploitation.

CM-6 Configuration Settings partial match

prevent

Establishes secure configuration settings for PowerShell, such as execution policies or constrained language mode, to mitigate local bypass risks until fully patched.

MITRE ATT&CK Enterprise TechniquesAI

T1059.001 PowerShell Execution

Adversaries may abuse PowerShell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

The CVE describes an improper input validation flaw in PowerShell that directly bypasses its built-in security controls (e.g., execution policy, AMSI, constrained language mode). This enables an attacker to run arbitrary PowerShell commands/scripts locally that would otherwise be blocked, mapping directly to the PowerShell command-and-scripting-interpreter technique.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper input validation in Microsoft PowerShell allows an unauthorized attacker to bypass a security feature locally.

Deeper analysisAI

CVE-2026-26143 is an improper input validation vulnerability (CWE-20) in Microsoft PowerShell that enables an unauthorized attacker to bypass a security feature locally. Published on 2026-04-14, it carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

An attacker with local access to the system can exploit this vulnerability with low complexity and no required privileges, though user interaction is necessary. Successful exploitation allows the attacker to achieve high levels of confidentiality, integrity, and availability impacts, effectively bypassing PowerShell's security controls.

The Microsoft Security Response Center provides details on mitigation and patches in its update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26143.

Details

CWE(s): CWE-20

Affected Products

microsoft

powershell

7.4 — 7.4.14 · 7.5 — 7.5.5

CVEs Like This One

CVE-2026-20856Same vendor: Microsoft

CVE-2026-26106Same vendor: Microsoft

CVE-2026-27913Same vendor: Microsoft

CVE-2026-32168Same vendor: Microsoft

CVE-2026-21229Same vendor: Microsoft

CVE-2025-21370Same vendor: Microsoft

CVE-2026-26170Same vendor: Microsoft

CVE-2026-20951Same vendor: Microsoft

CVE-2026-20967Same vendor: Microsoft

CVE-2025-21235Same vendor: Microsoft

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26143
Vendor Advisory · secure@microsoft.com