Executive Summary
Microsoft has disclosed CVE-2026-26135, a critical-severity server-side request forgery (SSRF) vulnerability in the Azure Custom Locations Resource Provider (RP) with a CVSS score of 9.6. The flaw allows an authorized attacker to perform privilege escalation over the network, potentially enabling lateral movement within Azure infrastructure or access to internal services.
Azure Custom Locations is an Azure Arc feature that allows administrators to map Azure resource types to custom on-premises or edge compute locations. A vulnerability in its Resource Provider backend could allow an attacker with existing Azure credentials to escalate their privileges by forging server-side requests to internal Azure infrastructure.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-26135 |
| CVSS Score | 9.6 (Critical) |
| Type | Server-Side Request Forgery (SSRF) |
| Component | Azure Custom Locations Resource Provider |
| Attack Vector | Network |
| Privileges Required | Low (authorized attacker) |
| User Interaction | None |
| Scope | Changed |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | High |
| Patch Available | Yes — managed by Microsoft |
| Published | April 3, 2026 |
Affected Components
| Component | Description |
|---|---|
| Azure Custom Locations Resource Provider | Azure Arc extension enabling custom on-prem/edge resource mapping |
| Azure Arc-enabled Kubernetes clusters | Any Arc-connected cluster using Custom Locations |
Custom Locations is a globally available Azure service managed by Microsoft. Unlike self-hosted software, the patch is deployed by Microsoft directly — customers do not need to apply updates manually to the service itself, but should audit any associated resources.
Technical Background
What Is Azure Custom Locations?
Azure Custom Locations is part of the Azure Arc platform. It enables organizations to:
- Create custom Azure resource types that map to on-premises or edge infrastructure
- Use Azure Resource Manager APIs to deploy and manage resources outside of Azure datacenters
- Extend Azure services (like App Service, Data Services) to arbitrary compute environments
The Custom Locations Resource Provider is the Azure-side service that handles API requests for these custom resources.
SSRF in a Resource Provider Context
An SSRF vulnerability in an Azure Resource Provider is particularly severe because:
- Azure's internal network contains privileged metadata endpoints, management APIs, and inter-service communication channels that are not exposed publicly
- A forged request made by the Azure RP backend can reach internal Azure infrastructure on behalf of the attacker — bypassing network perimeter controls
- Privilege escalation becomes possible when SSRF allows access to internal token issuance services, management plane APIs, or identity endpoints that can be used to acquire elevated credentials
The attacker must already hold some level of Azure authorization (e.g., contributor or reader role on a subscription with Arc resources), but can use the SSRF to escalate beyond their authorized scope.
Impact Assessment
| Impact Area | Description |
|---|---|
| Privilege Escalation | Attacker can gain access beyond their authorized Azure role |
| Internal Service Access | SSRF may reach Azure internal metadata endpoints or management APIs |
| Cross-Tenant Risk | In shared Azure infrastructure, SSRF could potentially affect resources in other tenants |
| Arc-Connected Resources | On-premises resources connected via Azure Arc may be accessible via escalated privileges |
| Credential Theft | Internal token endpoints accessible via SSRF could yield higher-privilege tokens |
Who Is Affected?
Organizations using Azure Arc with Custom Locations are potentially affected, particularly those that:
- Have Arc-connected Kubernetes clusters with Custom Locations enabled
- Grant contributor or operator-level access to users or service principals
- Use Custom Locations to host Azure App Service, Azure Functions, or Azure Data Services on Arc clusters
Organizations that do not use Azure Arc Custom Locations are not directly impacted.
Remediation
As this is a managed Azure service, Microsoft is responsible for patching the vulnerability on the server side. However, customers should take the following actions:
1. Review Azure Arc Custom Locations Permissions
# List all Custom Locations in your subscription
az customlocation list --output table
# Review role assignments on Custom Location resources
az role assignment list --scope /subscriptions/<sub-id> --output table | grep customLocation2. Audit Access to Azure Arc Resources
# List all Arc-connected clusters
az connectedk8s list --output table
# Review service principal access
az ad sp list --filter "displayName eq 'your-arc-sp'" --output json3. Apply Principle of Least Privilege
Ensure that no user or service principal has more Azure RBAC access than needed for their role. Specifically:
- Restrict Custom Locations Contributor and Owner roles to only those who require it
- Use Azure Policy to enforce least-privilege access on Arc resources
- Enable Azure Defender for Containers and Azure Defender for Servers on Arc-connected machines
4. Monitor for Suspicious Activity
# Review Azure Activity Log for unusual Custom Locations API calls
az monitor activity-log list \
--resource-type "Microsoft.ExtendedLocation/customLocations" \
--start-time 2026-03-01 \
--output tableEnable Microsoft Sentinel or Microsoft Defender for Cloud alerts for anomalous Azure Resource Manager API activity.
Detection Indicators
| Indicator | Description |
|---|---|
| Unexpected Custom Locations API calls | Calls to /providers/Microsoft.ExtendedLocation/customLocations from unexpected principals |
| Unusual role assignments on Arc resources | New role assignments on Custom Locations or Arc clusters |
| Anomalous cross-resource API activity | API calls touching resources the principal should not have access to |
| Azure Defender alerts on Arc resources | Lateral movement or privilege escalation alerts from Defender for Cloud |
Remediation Checklist
- Monitor Azure Activity Logs for suspicious Custom Locations API calls
- Audit all role assignments on Azure Arc and Custom Locations resources
- Restrict Custom Locations roles to required personnel only
- Enable Microsoft Defender for Cloud on all Arc-connected resources
- Review service principal permissions associated with Arc clusters
- Watch for Microsoft's service-side patch notification and apply any customer-facing mitigations they recommend
- Assess whether any connected on-premises resources could be reached via escalated Azure privileges