CVE-2026-41104 Overview
CVE-2026-41104 is a critical deserialization vulnerability in Microsoft Planetary Computer Pro. The flaw allows an unauthorized attacker to disclose information across a network by submitting crafted serialized data to the affected service. The weakness is classified under [CWE-502] Deserialization of Untrusted Data.
The vulnerability requires no authentication, no user interaction, and is exploitable remotely. The scope is changed, meaning a successful exploit can impact resources beyond the vulnerable component itself.
Critical Impact
Unauthenticated remote attackers can trigger unsafe deserialization in Microsoft Planetary Computer Pro to compromise confidentiality, integrity, and availability across trust boundaries.
Affected Products
- Microsoft Planetary Computer Pro
Discovery Timeline
- 2026-05-22 - CVE-2026-41104 published to the National Vulnerability Database
- 2026-05-26 - Last updated in the NVD database
Technical Details for CVE-2026-41104
Vulnerability Analysis
Microsoft Planetary Computer Pro processes serialized objects supplied over the network without sufficient validation of the input data. When the service reconstructs the object graph, attacker-controlled type information and field values are honored during deserialization. This behavior allows a remote actor to influence application state and trigger unintended code paths inside the service process.
The network-reachable attack surface combined with the absence of authentication makes this issue exploitable directly from the internet where the service is exposed. Because the scope changes during exploitation, the impact extends beyond the deserializing component to other resources within the same trust boundary, including data stores and downstream APIs the service can reach.
Root Cause
The root cause is [CWE-502] Deserialization of Untrusted Data. The application deserializes objects received from an untrusted channel and does not enforce a strict allow-list of acceptable types. As a result, gadget chains within the available class space can be reached during object reconstruction, leading to information disclosure and broader compromise.
Attack Vector
An attacker sends a crafted serialized payload to a network endpoint exposed by Microsoft Planetary Computer Pro. The service deserializes the payload and instantiates attacker-influenced objects. The attacker then reads back sensitive state, cached credentials, or service responses returned by the application. See the Microsoft Security Update CVE-2026-41104 advisory for vendor-specific technical detail.
Detection Methods for CVE-2026-41104
Indicators of Compromise
- Inbound requests to Planetary Computer Pro endpoints containing serialized object headers or binary payloads inconsistent with normal API traffic.
- Unexpected outbound connections from the Planetary Computer Pro service to attacker-controlled hosts following payload submission.
- Anomalous read access patterns against data assets accessible to the service identity.
Detection Strategies
- Inspect application and gateway logs for malformed or oversized request bodies submitted to deserialization-handling endpoints.
- Correlate authentication-free requests with subsequent privileged data reads or configuration access.
- Hunt for process spawning, child process creation, or DNS lookups that deviate from the service baseline.
Monitoring Recommendations
- Enable verbose telemetry on the Planetary Computer Pro service tier and forward to a centralized analytics platform.
- Alert on first-seen IP addresses sending unauthenticated POST requests with binary content types.
- Track service account egress and flag connections to non-Microsoft destinations originating from the workload.
How to Mitigate CVE-2026-41104
Immediate Actions Required
- Apply the Microsoft security update referenced in the MSRC advisory for CVE-2026-41104 as soon as it is available in your environment.
- Restrict network exposure of Planetary Computer Pro endpoints to known administrative networks until patching is complete.
- Rotate any credentials, keys, or tokens accessible to the affected service after confirming containment.
Patch Information
Microsoft has published guidance for CVE-2026-41104 through the Microsoft Security Response Center. Refer to the Microsoft Security Update CVE-2026-41104 page for the authoritative list of fixed builds and update channels.
Workarounds
- Place a web application firewall in front of the service and block requests carrying serialized object content types from untrusted sources.
- Disable or gate any API routes that accept serialized input until vendor updates can be applied.
- Enforce network segmentation so that the Planetary Computer Pro workload cannot reach sensitive data stores without explicit authorization.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
