CVE-2026-21531 — Azure AI Language Authoring Elevation of Privilege Vulnerability can Lead to RCE

Description

Deserialization of untrusted data in the Azure AI Language Conversations Authoring client library for Python allows an unauthorized attacker to execute code over a network.

How to fix CVE-2026-21531

To remediate CVE-2026-21531, upgrade the affected package to a fixed version below.

PyPI/azure-ai-language-conversations-authoring—upgrade to 1.0.0b4 or later

Is CVE-2026-21531 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.0.0b4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (3)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-21531
PATCHgithub.com/Azure/azure-sdk-for-python
WEBmsrc.microsoft.com/update-guide/vulnerability/CVE-2026-21531