CVE-2026-33833

Microsoft · Azure Machine Learning

An injection vulnerability in Azure Machine Learning allows unauthorized attackers to perform spoofing over a network due to improper neutralization of special elements in output.

Executive summary

A critical injection vulnerability in Microsoft Azure Machine Learning allows remote attackers to perform spoofing attacks.

Vulnerability

This vulnerability involves CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component). The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N) indicates that an unauthenticated attacker can trigger this via a network-based vector, though it requires user interaction.

Business impact

The ability for an attacker to perform spoofing can lead to the compromise of data integrity and potential redirection of users to malicious resources. With a CVSS score of 8.2 (High), this vulnerability poses a significant risk to the trustworthiness of machine learning workflows and associated data pipelines.

Remediation

Immediate Action: Update Microsoft Azure Machine Learning to version 1.7.6 or later as specified by the vendor security guide.

Proactive Monitoring: Monitor Azure logs for anomalous output generation or unexpected network traffic originating from the Machine Learning service.

Compensating Controls: Deploy Web Application Firewalls (WAF) with strict input/output validation rules to inspect traffic for injection patterns.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Given the High severity rating and the potential for spoofing attacks, organizations should prioritize the update of Azure Machine Learning instances. Ensure all environments are patched to the secure version to prevent unauthorized manipulation of output components.