CVE-2026-33833
Microsoft · Azure Machine Learning
An injection vulnerability in Azure Machine Learning allows unauthorized attackers to perform spoofing over a network due to improper neutralization of special elements in output.
Executive summary
A critical injection vulnerability in Microsoft Azure Machine Learning allows remote attackers to perform spoofing attacks.
Vulnerability
This vulnerability involves CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component). The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N) indicates that an unauthenticated attacker can trigger this via a network-based vector, though it requires user interaction.
Business impact
The ability for an attacker to perform spoofing can lead to the compromise of data integrity and potential redirection of users to malicious resources. With a CVSS score of 8.2 (High), this vulnerability poses a significant risk to the trustworthiness of machine learning workflows and associated data pipelines.
Remediation
Immediate Action: Update Microsoft Azure Machine Learning to version 1.7.6 or later as specified by the vendor security guide.
Proactive Monitoring: Monitor Azure logs for anomalous output generation or unexpected network traffic originating from the Machine Learning service.
Compensating Controls: Deploy Web Application Firewalls (WAF) with strict input/output validation rules to inspect traffic for injection patterns.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Given the High severity rating and the potential for spoofing attacks, organizations should prioritize the update of Azure Machine Learning instances. Ensure all environments are patched to the secure version to prevent unauthorized manipulation of output components.