CVE-2026-21229: Power BI Remote Code Execution Vulnerability

Overview

Severity

High (CVSS 8)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Remote Code Execution

Exploit Status

Not Exploited

Exploitation Likelihood

Unlikely

Patch Tuesday

2026-Feb

Released

2026-02-10

EPSS Score

0.06% (percentile: 18.5%)

Description

Improper input validation in Power BI allows an authorized attacker to execute code over a network.

FAQ

What privileges could be gained by an attacker who successfully exploited the vulnerability? An attacker who successfully exploited this vulnerability could gain the privileges of the authenticated user.

Affected Products (1)

SQL Server

• Power BI Report Server

Security Updates (1)

• Release Notes

Acknowledgments

Jack Misiura with <a href="https://www.themissinglink.com.au/">The Missing Link</a>

Revision History

• 2026-02-10: Information published.