High

Azure Entra ID Elevation of Privilege via External Initialization of Trusted Variables or Data Stores

IdentifiersCVE-2026-26148CWE-454· External Initialization of Trusted…

CVE-2026-26148 is an elevation of privilege vulnerability in Azure Entra ID. According to the provided content, the flaw is caused by external initialization of trusted variables or data stores, corresponding to CWE-454. Microsoft describes the issue as allowing an unauthorized attacker to elevate privileges locally. The available metadata indicates a local attack vector, high attack complexity, no privileges required, no user interaction, and changed scope (CVSS v3.1: AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H). No further public technical detail about the specific vulnerable function, code path, or affected component within Azure Entra ID is provided in the supplied content.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an unauthorized attacker to elevate privileges in the context of Azure Entra ID. The supplied CVSS vector indicates high impact to confidentiality, integrity, and availability, with scope change, implying that exploitation could enable broad compromise beyond the initially vulnerable component. Based on the provided information, the attacker could gain higher-privileged access and potentially affect protected identity-related resources or operations, but the exact post-exploitation capabilities are not further specified in the available content.

Mitigation

If you can’t patch tonight, do this now.

No specific mitigation steps are provided in the supplied content. In the absence of vendor-published mitigations in the provided material, organizations should follow MSRC guidance for CVE-2026-26148 and reduce local attack opportunities where possible by limiting local access to relevant systems, enforcing least privilege, and monitoring for anomalous privilege changes. Additional mitigation details are currently not available from the provided content.

Remediation

Patch, then assume compromise.

Apply Microsoft's security update or service-side remediation for CVE-2026-26148 as provided through the Microsoft Security Response Center guidance for Azure Entra ID. The supplied content does not include product-specific patch versions, rollout details, or tenant actions beyond the MSRC reference, so further remediation specifics are currently not available from the provided material.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Microsoft CorporationAzure Ad Ssh Login Extension For Linuxapplication

Microsoft CorporationAzure Ad Ssh Login Extension For Linux (Aadsshlogin)application

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app

socradar blogNews

Mar 11, 2026

March 2026 Patch Tuesday: 83 Vulnerabilities, Two Publicly Disclosed Zero-Days

An elevation-of-privilege vulnerability in Azure Entra ID.

cyberthroneNews

Mar 11, 2026

Microsoft Patch Tuesday - March 2026 - TheCyberThrone

An elevation of privilege vulnerability in the Azure Entra ID SSH Login Extension for Linux.

cvefeed high severityNews

Mar 10, 2026

CVE-2026-26148 - Microsoft Azure AD SSH Login extension for Linux Elevation of Privilege Vulnerability

A local privilege escalation vulnerability in Azure Entra ID caused by external initialization of trusted variables or data stores (CWE-454).

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity4

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-26148

NVD

nvd.nist.gov/vuln/detail/CVE-2026-26148

MITRE CWE · CWE-454

External Initialization of Trusted Variables…

Vendor Advisory

msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26148