CVE-2026-21226: Azure Core shared client library for Python Remote Code Execution Vulnerability

Overview

Severity

High (CVSS 7.5)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Remote Code Execution

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2026-Jan

Released

2026-01-13

EPSS Score

1.70% (percentile: 82.3%)

Description

Deserialization of untrusted data in Azure Core shared client library for Python allows an authorized attacker to execute code over a network.

FAQ

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to gather information specific to the environment of the targeted component. According to the CVSS metric, privileges required is low (PR:L) but the attack occurs remotely. What does that mean for this vulnerability? To exploit this vulnerability, an attacker would be required change a valid token to be malicious to the service/app which would require developer-type authorization.

Affected Products (1)

Azure

• Azure Core shared client library for Python

Security Updates (1)

• Change Log

Acknowledgments

<a href="https://funscoietyxboyz.github.io/0xboyz/">Muhammad Fadilullah Dzaki</a>

Revision History

• 2026-01-13: Information published.