CVE-2026-21531: Azure SDK for Python Remote Code Execution Vulnerability

Overview

Severity

Critical (CVSS 9.8)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Remote Code Execution

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2026-Feb

Released

2026-02-10

EPSS Score

0.46% (percentile: 64.1%)

Description

Deserialization of untrusted data in Azure SDK allows an unauthorized attacker to execute code over a network.

FAQ

How could an attacker exploit this vulnerability? An attacker could supply a maliciously crafted continuation token that, when processed by the Azure AI Language Conversations Authoring SDK, triggers unsafe deserialization and executes attacker‑controlled code on the system using the SDK.

Detection & Weaponization (1 sources)

Maturity: Exploit

• GitHub PoC: 1 repositories

Affected Products (1)

Azure

• Azure AI Language Authoring

Security Updates (1)

• Release Notes

Acknowledgments

<a href="https://www.linkedin.com/in/muhammad-fadilullah-dzaki-a9080a2b5/">Muhammad Fadilullah Dzaki</a>

Revision History

• 2026-02-10: Information published.