In This Article
- Why a 10.0 CVSS in identity governance is different
- What CVE-2026-35431 actually is
- Who's affected: licensing matters more than you think
- The fix lives in the cloud, not on your endpoints
- The four-step financial institution verification this week
- How this connects to your broader Entra ID identity governance posture
- Frequently Asked Questions
On April 23, 2026, Microsoft disclosed a vulnerability in Microsoft Entra ID Entitlement Management with a CVSS 3.1 base score of 10.0, the maximum possible value on the scoring scale. The Common Vulnerabilities and Exposures identifier is CVE-2026-35431, classified as a Server-Side Request Forgery, or SSRF, under Common Weakness Enumeration CWE-918.
For most financial institutions, the immediate question is not "do we patch endpoints" but "do we even have this product turned on, and if so, what governance hygiene have we let drift since the access packages were first set up?"
This article walks banks, credit unions, and mortgage companies through what the vulnerability actually does, who is on the hook for verification, and a four-step action plan you can run this week. No PowerShell deep-dive, no patch chasing across domain controllers. Just the governance work this disclosure makes urgent.
Why a 10.0 CVSS in identity governance is different
A CVSS 10.0 in a web app, a database engine, or a network appliance is bad enough. The same score in an identity governance layer is a different category of bad, because the governance layer is the part of your Microsoft tenant that decides who is allowed to have access to what.
Microsoft Entra ID Entitlement Management is the access governance feature inside Microsoft Entra ID Governance. Per the Microsoft Learn product documentation, it lets organizations "manage identity and access lifecycle at scale, by automating access request workflows, access assignments, reviews, and expiration." That is a polite way of saying: this is the layer where access packages are defined, approved, granted, reviewed, and eventually expired. It connects directly to Microsoft 365 group membership, Microsoft Teams membership, SharePoint Online site membership, Microsoft Entra security groups, Microsoft 365 license assignments, Azure role assignments, and Microsoft Entra role grants.
If a flaw in the governance layer can be coerced into accepting a forged or misrepresented signal, the consequences are not cosmetic. The blast radius travels through every downstream resource the access package touches. That is the framing that should anchor your response, not the vulnerability ID, not the patch number, not even the CVSS score. The score tells you the upper bound of the blast radius. The product description tells you what is in the blast radius.
Why this matters for banks, credit unions, and mortgage companies
Identity governance is the layer your examiners ask about under the Federal Financial Institutions Examination Council Information Security booklet, the National Credit Union Administration's IT examination program, and the Office of the Comptroller of the Currency's risk-based examination scope. Access reviews, separation of duties, and least-privilege enforcement all rely on whatever your governance layer reports as the truth. If that layer can be deceived, every audit artifact downstream of it inherits the same uncertainty.
What CVE-2026-35431 actually is
The technical description is short. Per the NIST National Vulnerability Database, CVE-2026-35431 is "Server-side request forgery (ssrf) in Microsoft Entra ID Entitlement Management [that] allows an unauthorized attacker to perform spoofing over a network."
The CVSS vector breakdown tells the story in operational terms:
| CVSS Component | Value | What It Means |
|---|---|---|
| Attack Vector (AV) | Network (N) | Reachable across a network. No physical access required. |
| Attack Complexity (AC) | Low (L) | No complex preconditions. Reliable to trigger. |
| Privileges Required (PR) | None (N) | Attacker does not need an account, role, or grant in your tenant. |
| User Interaction (UI) | None (N) | No phishing click, no admin approval, no helpdesk social engineering needed. |
| Scope (S) | Changed (C) | Impact extends beyond the vulnerable component into other parts of the platform. |
| Confidentiality / Integrity / Availability | High / High / High | Full impact across all three pillars of the security triad. |
SSRF, the Server-Side Request Forgery class, works by tricking the vulnerable server into issuing HTTP requests to internal infrastructure that the attacker should not directly reach. The "spoofing" framing in the NIST description points at the second-order effect: when the governance server can be coerced into making the request, downstream systems treat that request as legitimate because it originated from the trusted governance layer.
That is the practical worry here. Access packages encode permissions. Approval workflows reduce human scrutiny by design. If the governance server can be deceived into treating a request as approved, the deception can become a real grant.
What "exploitation" means in the Microsoft Security Update Guide
Microsoft's Security Update Guide assigns CVE-2026-35431 the highest exploitation status the model uses for disclosed vulnerabilities. As of disclosure, public proof-of-concept code was not circulating, and Feedly's threat-intelligence summary recorded "no public proof-of-concept exploits." The most likely real-world exploit path is high-skill threat actors moving on the disclosure window before all tenants verify the cloud-side patch has reached them. Treat the classification as a signal to verify and monitor, not as evidence that named institutions have already been breached.
Who's affected: licensing matters more than you think
The first practical question for any financial institution is whether Entitlement Management is even active in your tenant. The answer is gated to your Microsoft Entra ID licensing tier. Per Microsoft's Entra ID Governance licensing fundamentals, Entitlement Management ships with the following plans:
| Microsoft Entra Plan | Entitlement Management Available | Typical FI Deployment |
|---|---|---|
| Microsoft Entra ID Free | No | Not in scope for this CVE on this tier. |
| Microsoft Entra ID P1 | No (limited preview only) | Most community FIs at this tier are not in scope unless preview features were enabled. |
| Microsoft Entra ID P2 | Yes | FIs that bought Entra ID P2 standalone or via Microsoft 365 E5 inherit Entitlement Management. |
| Microsoft Entra ID Governance | Yes (full feature set) | FIs running mature identity governance, including managers requesting on behalf of employees and external custom-extension approvals. |
| Microsoft Entra Suite | Yes (full feature set) | FIs that bundle Entra Private Access, Internet Access, ID Protection, ID Governance, and Verified ID. |
If your tenant runs on Microsoft 365 Business Premium plus Microsoft Entra ID P1, Entitlement Management is not active by default and CVE-2026-35431 has limited surface in your environment. The governance hygiene recommendations in this article still apply, because they are good practice independent of any specific CVE, but the urgency-this-week framing does not.
If your tenant runs on Microsoft Entra ID P2, Microsoft Entra ID Governance, or Microsoft Entra Suite, your first verification step is determining whether anyone in your organization actually configured access packages and assigned them, regardless of whether the feature is licensed.
Not sure which Microsoft Entra plan you're on, or whether Entitlement Management has been turned on in your tenant? Run the ABT security grade assessment for a tenant inventory that includes governance posture, conditional access coverage, and license-feature visibility in under five minutes.
The fix lives in the cloud, not on your endpoints
This is the part of the response that surprises operations teams who are used to tracking patch deployment across endpoints, servers, and domain controllers. CVE-2026-35431 affects Microsoft-operated cloud infrastructure. Microsoft applies the fix at the platform level. Your IT team does not patch a workstation, does not run an Intune compliance check, and does not push a domain controller out-of-band update to remediate this CVE.
Per the CVE record's Remediation Level field (official-fix), Microsoft has published the patch and is rolling it out across the hosted Entra ID Entitlement Management service. The customer action is verification, monitoring, and access-governance hygiene, not endpoint patching.
Microsoft 365 platform context
Microsoft Entra ID Entitlement Management is the access-governance pillar inside Microsoft Entra ID Governance, alongside Privileged Identity Management, Lifecycle Workflows, and Access Reviews. It integrates with Microsoft Defender for Cloud Apps, Microsoft Purview Insider Risk Management, and Microsoft Entra ID Protection. When the governance layer is compromised, the integration surface becomes the propagation path. That is why server-side fixes still require customer-side governance review: the fix closes the SSRF, but it does not retroactively re-evaluate any access decisions made during the disclosure window.
The four-step financial institution verification this week
For banks, credit unions, and mortgage companies running Microsoft Entra ID P2, Microsoft Entra ID Governance, or Microsoft Entra Suite, the practical action plan is short. None of these steps requires a maintenance window. None of them requires endpoint changes. All of them produce evidence your auditor can use later.
Verify license posture and feature activation
In the Microsoft Entra admin center, confirm which plan your tenant runs on. If it includes Entitlement Management, browse to Identity Governance and Entitlement Management and Access Packages. If the page is empty, no access packages have been created and the surface is theoretical. If access packages exist, continue to step 2.
Audit recent access-package assignments
Pull the last 30 days of Entitlement Management assignments and approvals from the Microsoft Entra audit log. Compare each assignment to the user's role and to the access-package policy. Flag any assignment that does not match the policy's expected requestor pool, especially assignments to privileged groups, Microsoft Entra role-assignable groups, or access packages that grant Microsoft 365 licenses or Azure role assignments.
Confirm Microsoft has applied the cloud-side fix
Check the Microsoft Security Update Guide entry for CVE-2026-35431 for the deployment status of your tenant's region. If your customer success representative or Microsoft technical account manager can confirm the patch has reached your tenant, document that confirmation in your incident-response evidence file.
Tighten the governance perimeter for the next disclosure
Independent of this CVE, raise the bar on Entitlement Management hygiene. Require multi-stage approval for any access package that grants Microsoft Entra role-assignable groups. Set quarterly access reviews on every access package that touches privileged data. Configure Conditional Access scoping on access packages so that requestors must come from a compliant device. These are stable hardening steps that do not depend on this disclosure.
- Access packages that grant Microsoft Entra role-assignable groups are the highest priority for the audit pass. A spoofed assignment here can map to Global Administrator, Privileged Role Administrator, or Identity Governance Administrator.
- Access packages tied to Microsoft 365 group-based licensing should be audited next. A spoofed assignment can give an attacker a Microsoft 365 license, which gives them Microsoft Graph access in your tenant.
- Access packages that grant Microsoft Teams or SharePoint Online site membership are second-tier priority. Data exposure is the risk; privileged escalation is less direct.
- Connected-organization assignments for B2B external users deserve attention because they involve identity sources outside your tenant. A spoofed approval here invites an external identity into your access surface.
- Access packages with no privileged resources, no licenses, and no external requestors are the lowest priority. Document the audit, but do not park other work to investigate them first.
The fix closes the Server-Side Request Forgery. It does not retroactively re-evaluate any access decisions made during the disclosure window. The governance review is the part you do.
How this connects to your broader Entra ID identity governance posture
One disclosure does not justify rebuilding your identity strategy. A pattern of disclosures, all touching the same governance layer, does justify reviewing the strategy. CVE-2026-35431 fits a 2026 pattern that Access Business Technologies has been tracking across the Microsoft cloud surface for our managed financial institution clients.
The pattern: Microsoft Entra ID is the identity control plane for Microsoft 365 and Azure. As more tenants concentrate identity, governance, and Conditional Access in Microsoft Entra ID, the platform itself becomes a higher-value target. Vulnerabilities in adjacent layers, like Entitlement Management, like Conditional Access policy evaluation, like authentication strength enforcement, all map to the same control plane. The fix model also concentrates: Microsoft applies most fixes server-side. The customer model is verification, monitoring, and governance hygiene, not patching.
This pattern shows up in our previous Guardian advisory coverage of Microsoft 365 device-code phishing attacks, the Teams helpdesk impersonation attack chain, and the broader push toward phishing-resistant authentication. Each of those advisories pointed at a different surface inside Microsoft Entra ID. Each one had the same operational shape: cloud-side fix from Microsoft, governance-side action from the financial institution.
The strategic implication for community banks, regional banks, credit unions, and mortgage companies is simple. The era of identity-as-a-product, where you bought Active Directory and ran it on a server you patched, is over for most institutions. Identity is now a managed cloud service, and the work shifts from patching to governance. Access reviews stop being a quarterly checkbox and become a recurring control that catches drift between what your access policies say and what your tenant actually grants.
For more on the broader phishing-resistant authentication push that touches the same Microsoft Entra ID surface, see our companion piece on phishing-resistant multi-factor authentication for financial institutions. For the device-code-phishing attack chain that exploits a related Microsoft Entra ID authentication path, see our analysis of Microsoft 365 device code phishing. For a recent governance-layer attack pattern that uses social engineering inside Microsoft Teams to escalate privilege, see our writeup of the Teams helpdesk impersonation nine-stage intrusion. And for the security-baseline framing that contextualizes Microsoft Secure Score against your peer benchmarks, see why your Microsoft Secure Score matters.
Key takeaway for banks, credit unions, and mortgage companies
CVE-2026-35431 is a maximum-severity Server-Side Request Forgery in Microsoft Entra ID Entitlement Management. Microsoft applies the fix server-side. Your action this week is verification: confirm whether your tenant has Entitlement Management active, audit recent access-package assignments for anything outside policy, and tighten governance hygiene on packages that touch privileged groups, license assignments, or external requestors. The CVE will become an audit-evidence question; the prepared institution gets to answer it from documentation, not from memory.
See your tenant's identity governance posture this week
CVE-2026-35431 will not be the last disclosure that lands at the Microsoft Entra ID governance layer. The institutions that handle each disclosure quickly are the ones that already have visibility into their tenant. ABT's free security grade assessment surfaces your Entitlement Management activation status, your Conditional Access coverage, your license-feature inventory, and your Secure Score against your peer benchmark, in under five minutes.
Get Your Security Grade Talk to an ABT Identity SpecialistFrequently Asked Questions
No. The vulnerability affects Microsoft-operated cloud infrastructure inside Microsoft Entra ID Entitlement Management. Microsoft applies the fix server-side at the platform level. Your IT team does not patch workstations, does not push out-of-band updates to domain controllers, and does not run an Intune compliance pass to remediate this CVE. The customer action is verification, monitoring, and access-governance hygiene.
Two checks. First, confirm your tenant runs on Microsoft Entra ID P2, Microsoft Entra ID Governance, or Microsoft Entra Suite. Tenants on Microsoft Entra ID Free or Microsoft Entra ID P1 do not have Entitlement Management active by default. Second, in the Microsoft Entra admin center, browse to Identity Governance, then Entitlement Management, then Access Packages. If the page is empty, no access packages have been created and the surface in your tenant is theoretical. If access packages exist, your governance review starts there.
Microsoft's Security Update Guide assigns CVE-2026-35431 the highest exploitation status the model uses for disclosed vulnerabilities. As of disclosure, public proof-of-concept code was not circulating. Feedly's threat-intelligence summary recorded "no public proof-of-concept exploits, patches, or mitigation details available" at the disclosure window. Treat the classification as a signal to verify and monitor, not as evidence that named institutions have already been breached.
Server-Side Request Forgery, classified as Common Weakness Enumeration CWE-918, works by tricking the vulnerable server into issuing HTTP requests to internal infrastructure that the attacker should not directly reach. A normal web vulnerability typically lets an attacker manipulate the response sent back to a user. SSRF inverts the relationship: the attacker manipulates the requests the server itself issues. In an identity governance context, the worry is that the governance server, which downstream systems trust by design, can be coerced into making the request. Downstream systems then treat the request as legitimate.
The fix closes the Server-Side Request Forgery in the Microsoft cloud platform. It does not retroactively re-evaluate any access decisions made during the disclosure window. If a spoofed request reached your governance layer before the fix and resulted in an access-package assignment, that assignment persists until your team finds it and removes it. The customer-side governance review is the part that catches assignments outside policy. It is also the part that becomes audit evidence the next time an examiner asks how your institution responds to identity-platform disclosures.
Microsoft Entra ID Entitlement Management is gated to Microsoft Entra ID P2, Microsoft Entra ID Governance, and Microsoft Entra Suite per Microsoft's Entra ID Governance licensing fundamentals. Tenants on Microsoft 365 Business Premium with Microsoft Entra ID P1 do not have Entitlement Management active by default and CVE-2026-35431 has limited surface in those environments. The governance hygiene recommendations in this article still apply as good practice, but the urgency-this-week framing is reserved for tenants where the feature is actually in use.
The relevant control families sit inside the Federal Financial Institutions Examination Council Information Security booklet, the National Credit Union Administration's IT examination program, and the Office of the Comptroller of the Currency's risk-based examination scope. The specific controls that this CVE touches are access-management lifecycle, separation of duties, least-privilege enforcement, and vendor-platform vulnerability management. Mapped to the National Institute of Standards and Technology Cybersecurity Framework version 2.0, the response work falls primarily under the Protect function, specifically PR.AA Identity Management, Authentication, and Access Control, with detection and response support from the Detect and Respond functions.