CVE-2026-23652 Overview
CVE-2026-23652 is a command injection vulnerability in Microsoft Power Pages, the low-code SaaS platform for building external-facing business websites. The flaw stems from improper neutralization of special elements used in a command [CWE-77]. An unauthorized attacker can execute arbitrary code over a network without user interaction or prior authentication. Microsoft published guidance through its Security Response Center (MSRC). Because Power Pages is a managed cloud service, exposure spans tenants that deploy custom site logic on the platform.
Critical Impact
Unauthenticated attackers can execute code remotely over the network against Microsoft Power Pages sites, with full impact to confidentiality, integrity, and availability.
Affected Products
- Microsoft Power Pages (cloud service)
- Sites built on the Power Pages low-code platform
- Tenants exposing Power Pages portals to the public internet
Discovery Timeline
- 2026-05-22 - CVE-2026-23652 published to the National Vulnerability Database
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-23652
Vulnerability Analysis
The vulnerability is classified under [CWE-77]: Improper Neutralization of Special Elements used in a Command. Power Pages accepts attacker-controlled input that flows into a command construction routine without adequate sanitization. The downstream interpreter executes the resulting command, granting the attacker the privileges of the service process.
The attack is reachable over the network and requires no authentication or user interaction. An attacker who sends a crafted request to an exposed Power Pages endpoint can trigger command execution. Successful exploitation yields high impact across confidentiality, integrity, and availability, consistent with remote code execution against a multi-tenant cloud service.
No public proof-of-concept exploit is available at the time of writing. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, and the EPSS probability remains low. Power Pages is a Microsoft-managed service, so remediation flows through Microsoft rather than customer-side patching for the core platform.
Root Cause
The root cause is missing or insufficient neutralization of shell metacharacters and delimiters in input passed to a command interpreter. When user-controlled data is concatenated into a command string, characters such as ;, |, &, and backticks alter the command structure. The interpreter then executes attacker-supplied commands alongside the intended call.
Attack Vector
The attack vector is network-based with low complexity. An unauthenticated remote attacker submits crafted input to a vulnerable Power Pages request handler. The payload contains shell metacharacters that break out of the intended command context. The platform processes the request and executes the injected command in the service runtime.
No verified exploit code is publicly available. Refer to the Microsoft Security Update CVE-2026-23652 advisory for vendor technical details.
Detection Methods for CVE-2026-23652
Indicators of Compromise
- Unexpected outbound network connections originating from Power Pages site processes to unfamiliar hosts.
- Anomalous request payloads to Power Pages endpoints containing shell metacharacters such as ;, |, &&, or backticks.
- Unusual child processes spawned in the Power Pages runtime context, particularly shell interpreters or scripting hosts.
- Spikes in server-side errors or latency correlated with crafted POST or GET requests to portal URLs.
Detection Strategies
- Inspect web application firewall (WAF) and Azure Front Door logs for requests containing command separators or encoded shell syntax targeting Power Pages routes.
- Correlate request patterns against Microsoft Defender for Cloud Apps and Microsoft Sentinel analytics for Power Platform.
- Hunt for outbound DNS or HTTP beacons from Power Platform connector traffic that lack a legitimate business context.
Monitoring Recommendations
- Enable diagnostic logging for Power Pages sites and forward logs to a centralized SIEM for retention and correlation.
- Establish baselines for normal request payload structure and alert on deviations involving control characters.
- Track Microsoft Service Health and MSRC advisories for status updates tied to CVE-2026-23652.
How to Mitigate CVE-2026-23652
Immediate Actions Required
- Review the Microsoft Security Update CVE-2026-23652 advisory and confirm mitigation status across all tenants.
- Audit all Power Pages sites for exposure, custom code, and Liquid templates that handle untrusted input.
- Restrict public access to non-production Power Pages portals while validating service-side remediation.
- Rotate secrets, API keys, and connection strings referenced by Power Pages sites if compromise is suspected.
Patch Information
Microsoft Power Pages is a Microsoft-hosted service, so the core platform fix is delivered by Microsoft without customer action on infrastructure. Customers must still review and update custom site code, web templates, and Power Fx logic that may replicate the unsafe pattern. Consult the Microsoft Security Update CVE-2026-23652 entry for service version status and any required tenant-side updates.
Workarounds
- Apply input validation and allowlisting in custom Power Pages code paths that interact with server-side commands or connectors.
- Place Power Pages portals behind a WAF with rules blocking shell metacharacters in request parameters where feasible.
- Disable or restrict unauthenticated site features that accept free-form text until the vendor confirms full remediation.
- Enforce least-privilege configuration on Dataverse tables and connectors referenced by externally accessible Power Pages.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
