A critical (CVSS 9.9) server-side request forgery flaw in Microsoft Entra Provisioning Service (SyncFabric) lets an authenticated attacker elevate privileges across a network.
What Is It
CVE-2026-57100 is a server-side request forgery (SSRF) vulnerability (CWE-918) in the Microsoft Entra Provisioning Service, internally known as SyncFabric. According to Microsoft, the flaw "allows an authorized attacker to elevate privileges over a network." It carries a CVSS 3.1 base score of 9.9 (CRITICAL), with the vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, network-reachable, low attack complexity, requiring only low privileges and no user interaction. The scope is marked as Changed, meaning exploitation can affect resources beyond the vulnerable component's security boundary.
Why It Matters
The combination of a scope-changing SSRF and a privilege-elevation outcome is what pushes this to a 9.9. An attacker who already holds low-level authorized access can leverage the flaw to reach network-internal resources and elevate privileges, with high impact to confidentiality, integrity, and availability. Because Entra provisioning sits at the identity layer synchronizing accounts and entitlements, a successful attack here has broad blast radius. Microsoft tags the CVE as an "exclusively-hosted-service," indicating the affected component runs as a Microsoft-operated cloud service.
What's Vulnerable
- Vendor: Microsoft
- Product: Microsoft Entra Provisioning Service (SyncFabric)
- Affected versions: Listed as
-(not versioned), consistent with a cloud-hosted service rather than customer-installed software.
The NVD record includes no affected CPEs and no on-premises version enumeration.
Patch Status
The supplied data does not include a CISA KEV entry, so there is no confirmation of active exploitation at this time. Because the vulnerability is in an exclusively-hosted Microsoft service, remediation is generally handled by Microsoft on the service side rather than by customer patching. Consult the Microsoft Security Response Center guidance below for the authoritative status and any required action. The NVD record was received on 2026-07-02 and remains in "Received" status.
Sources
- NVD, CVE-2026-57100: https://nvd.nist.gov/vuln/detail/CVE-2026-57100
- Microsoft Security Response Center (MSRC) Update Guide: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-57100