CVE-2026-35431

Critical

Published: 23 April 2026

Published

23 April 2026

Modified

28 April 2026

KEV Added

—

Patch

—

CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0009 25.9th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-35431 is a critical-severity SSRF (CWE-918) vulnerability in Microsoft Entra Id. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the SSRF vulnerability by requiring timely identification, reporting, and remediation of the specific flaw in Microsoft Entra ID Entitlement Management.

SI-10 Information Input Validation good match

prevent

Prevents SSRF exploitation by enforcing validation of untrusted inputs such as URLs that could trick the server into making unauthorized network requests.

SC-7 Boundary Protection good match

prevent

Blocks SSRF-induced unauthorized outbound requests from the server to internal or restricted network resources through boundary protection mechanisms like firewalls or proxies.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The CVE describes a remotely exploitable SSRF vulnerability in the publicly accessible Microsoft Entra ID Entitlement Management service with no authentication required, directly matching the definition of exploiting a public-facing application for initial access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Server-side request forgery (ssrf) in Microsoft Entra ID Entitlement Management allows an unauthorized attacker to perform spoofing over a network.

Deeper analysisAI

CVE-2026-35431 is a server-side request forgery (SSRF) vulnerability, classified under CWE-918, in Microsoft Entra ID Entitlement Management. Published on 2026-04-23T22:16:38.510, it carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), marking it as critically severe due to its network accessibility, low attack complexity, lack of required privileges or user interaction, and broad impacts across confidentiality, integrity, availability, and changed scope.

An unauthorized attacker can exploit this vulnerability remotely over the network. Exploitation enables the attacker to perform spoofing over a network, leveraging the SSRF to make unauthorized requests on behalf of the server, with potential for high confidentiality, integrity, and availability disruptions given the CVSS metrics.

The Microsoft Security Response Center advisory provides details on mitigation and patches at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-35431.

Details

CWE(s): CWE-918

Affected Products

microsoft

entra id

all versions

CVEs Like This One

CVE-2025-59246Same product: Microsoft Entra Id

CVE-2026-24305Same product: Microsoft Entra Id

CVE-2025-55241Same product: Microsoft Entra Id

CVE-2025-21385Same vendor: Microsoft

CVE-2026-32210Same vendor: Microsoft

CVE-2026-26139Same vendor: Microsoft

CVE-2026-26120Same vendor: Microsoft

CVE-2025-21177Same vendor: Microsoft

CVE-2026-32169Same vendor: Microsoft

CVE-2025-59503Same vendor: Microsoft

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-35431
Vendor Advisory · secure@microsoft.com