Executive Summary
A critical Server-Side Request Forgery (SSRF) vulnerability in Microsoft Azure OpenAI has been assigned CVE-2026-45499 with a CVSS score of 9.9 — near-maximum severity. The flaw allows an authorized network attacker to escalate privileges, potentially reaching internal Azure infrastructure, metadata endpoints, or adjacent services that should not be externally accessible. Microsoft has issued a fix through Azure service updates.
Vulnerability Details
| Field | Details |
|---|---|
| CVE | CVE-2026-45499 |
| CVSS | 9.9 (Critical) |
| Type | Server-Side Request Forgery (CWE-918) |
| Component | Microsoft Azure OpenAI Service |
| Authentication | Required (authorized attacker) |
| Privileges Required | Low (standard Azure OpenAI user) |
| User Interaction | None |
| Impact | Privilege Escalation |
Technical Analysis
Server-Side Request Forgery (SSRF) occurs when an application can be coerced into making HTTP requests to arbitrary internal or external URLs on behalf of the attacker. In cloud environments, SSRF is particularly dangerous because it can be used to reach cloud provider metadata endpoints — which expose instance credentials, IAM role tokens, and tenant configuration data.
Azure OpenAI SSRF Context
Azure OpenAI provides API access to GPT-4 and other large language models hosted on Microsoft's infrastructure. Features such as image generation, retrieval-augmented generation (RAG) with external data sources, and function calling allow users to supply URLs or external references that the service fetches or processes server-side.
CVE-2026-45499 exploits this server-side fetching capability to redirect requests to internal Azure infrastructure. Potential targets include:
- Azure Instance Metadata Service (IMDS) at
http://169.254.169.254/metadata/identity/oauth2/token— which returns managed identity access tokens - Internal Azure REST APIs not intended for external access
- Adjacent Azure services on the same internal network segment
Why This Scores 9.9
The near-maximum CVSS score reflects:
- Low attack complexity: SSRF primitives in API services are straightforward to exploit.
- No user interaction: Fully automated exploitation once an attacker has API access.
- High impact across CIA triad: Stolen managed identity tokens enable reading, modifying, or destroying Azure resources.
- Cloud pivot potential: Access to IMDS tokens can cascade to cross-resource and cross-subscription privilege escalation within the same Azure tenant.
Impact
- Privilege escalation within Azure tenant: Stolen managed identity tokens can be used to call Azure Resource Manager, Azure Key Vault, Azure Storage, and other services.
- Data exfiltration: Access to storage accounts, databases, or other data services protected by the compromised identity.
- Lateral movement: Compromised Azure identities may have permissions across multiple subscriptions or resource groups.
- Supply chain risk: Organizations using Azure OpenAI in automated pipelines (CI/CD, agentic workflows) face elevated exposure if the service's managed identity has broad permissions.
Affected Services
| Service | Status |
|---|---|
| Microsoft Azure OpenAI | Patched via Azure service update |
As an Azure PaaS service, Azure OpenAI is patched server-side by Microsoft. Tenant administrators do not need to install patches, but should audit permissions and monitor for signs of exploitation.
Remediation
Immediate Actions
- Apply the Azure service update — Ensure your Azure OpenAI deployment is on the latest service version. Check the Azure Security Bulletin for CVE-2026-45499.
- Audit managed identity permissions — Apply the principle of least privilege to any managed identity associated with Azure OpenAI resources. Remove unnecessary cross-service permissions.
- Restrict outbound network access — Use Azure Private Endpoints and Virtual Network (VNet) integration to prevent Azure OpenAI from making outbound requests to the public internet or internal metadata endpoints.
- Enable Azure Defender for Cloud — Alerts on anomalous API calls and unusual access patterns that may indicate SSRF exploitation.
Defense in Depth
Azure OpenAI Service
└── Private Endpoint (no public internet access)
└── Managed Identity with LEAST PRIVILEGE
└── Network Security Group — block 169.254.0.0/16 (IMDS) egress
└── Azure Monitor — alert on unexpected resource API calls
Detection
Monitor for:
- Outbound requests from Azure OpenAI to
169.254.169.254(IMDS) - Unusual managed identity token requests or high-frequency token acquisitions
- API calls to Azure resources not normally accessed by the OpenAI service
- Entra ID sign-in logs showing managed identity tokens used from unexpected locations
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed (impacts resources beyond the vulnerable component)
- Confidentiality / Integrity / Availability: High
Broader Context: SSRF in Cloud AI Services
SSRF vulnerabilities in cloud AI APIs are a growing class of risk as enterprises integrate large language models into internal workflows with privileged cloud access. The attack surface is significant:
- RAG pipelines that fetch external URLs for context enrichment
- Function calling features that make HTTP requests on the model's behalf
- Image and document processing APIs that load user-supplied URLs
Organizations should treat any AI API that makes server-side HTTP requests as a potential SSRF vector and apply strict network egress controls accordingly.
CVE-2026-45499 is a reminder that cloud AI services carry the same network-level risk as any other cloud-hosted application. Audit your Azure OpenAI managed identity permissions today — a CVSS 9.9 in your AI infrastructure is not something to defer.