CVE-2026-41105: Azure Notification Service SSRF Allows Privilege Escalation
The National Vulnerability Database has disclosed CVE-2026-41105, a high-severity server-side request forgery (SSRF) vulnerability in Azure Notification Service. This flaw, carrying a CVSS v3.1 score of 8.1, allows an authorized attacker to escalate privileges over the network. The vulnerability is categorized under CWE-918, which covers SSRF.
An authorized attacker leveraging this SSRF can force the Azure Notification Service to make requests on their behalf to internal or external resources. This can expose sensitive internal services, data, or allow for further network reconnaissance and lateral movement, ultimately leading to privilege escalation. The ‘authorized attacker’ prerequisite means initial access or a lower-level compromise is required, but the impact of privilege escalation is significant.
For defenders, this is a clear signal to scrutinize permissions within Azure environments, especially those granted to applications interacting with Notification Service. While specific affected products are not detailed by the National Vulnerability Database, organizations heavily reliant on Azure Notification Service for their applications should assume exposure and prioritize mitigation.
What This Means For You
- If your organization uses Azure Notification Service, you must assume exposure to CVE-2026-41105. Prioritize a review of all service principal and application permissions interacting with Notification Service. Implement strict network segmentation and egress filtering to limit potential SSRF abuse, even from authorized entities.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-41105: Azure Notification Service SSRF Attempt
title: CVE-2026-41105: Azure Notification Service SSRF Attempt
id: scw-2026-05-07-ai-1
status: experimental
level: high
description: |
Detects attempts to exploit CVE-2026-41105 by identifying requests to the Azure Notification Service endpoint '/api/v2/notification/send' that contain a 'url=' parameter, indicative of an SSRF attempt.
author: SCW Feed Engine (AI-generated)
date: 2026-05-07
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-41105/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/api/v2/notification/send'
cs-uri-query|contains:
- 'url='
condition: cs-uri AND cs-uri-query
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-41105 | SSRF | Azure Notification Service |
| CVE-2026-41105 | Privilege Escalation | Azure Notification Service |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 08, 2026 at 01:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-8115 — Gyoridavid Short-Video-Maker Path Traversal
CVE-2026-8115 — A security flaw has been discovered in gyoridavid short-video-maker up to 1.3.4. This affects an unknown part of the file src/server/routers/rest.ts of the...
MAXHUB Pivot Client Vulnerability Exposes Tenant Emails, Allows DoS
CVE-2026-6411 — This vulnerability, in the MAXHUB Pivot client application versions prior to v1.36.2, may allow an attacker to obtain encrypted tenant email addresses and...
Argo CD CVE-2026-42880: Critical Data Exposure from Read-Only Access
CVE-2026-42880 — Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9, there...