CVE-2026-21227
Published: 22 January 2026
Description
Improper limitation of a pathname to a restricted directory ('path traversal') in Azure Logic Apps allows an unauthorized attacker to elevate privileges over a network.
Mitigating Controls (NIST 800-53 r5)AI
Directly and comprehensively mitigates path traversal by requiring validation of pathname inputs to ensure they remain within restricted directories.
Enforces approved access authorizations to block unauthorized privilege elevation resulting from improper pathname limitations.
Implements a reference monitor to mediate and enforce access control policies on system resources, countering path traversal bypasses.
Security SummaryAI
CVE-2026-21227, published on 2026-01-22, is an improper limitation of a pathname to a restricted directory vulnerability, classified as path traversal (CWE-22), affecting Azure Logic Apps. This flaw enables unauthorized privilege elevation and carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), indicating high severity due to network accessibility, low attack complexity, and no prerequisite privileges or user interaction.
An unauthorized attacker can exploit this vulnerability remotely over the network without authentication. Successful exploitation allows privilege elevation, resulting in high confidentiality impact through unauthorized access to sensitive data and low integrity impact, with no availability disruption.
The Microsoft Security Response Center advisory provides details on mitigation and patches at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21227.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal vulnerability in public-facing Azure Logic Apps enables remote exploitation without authentication (T1190) leading to unauthorized privilege elevation (T1068).