Critical SSRF fixed in Azure Databricks service
TL;DR — A critical SSRF in Azure Databricks can let an unauthenticated attacker escalate privileges over the network.
What happened
Azure Databricks is Microsoft’s hosted Databricks/Spark-based analytics platform used for data engineering, ETL, and ML workflows.
CVE-2026-33107 describes a server-side request forgery (SSRF) issue in Azure Databricks that can allow an unauthorized attacker to elevate privileges over a network. The CVE record reports CVSS v3.1 10.0 (Critical).
This CVE is notable for platform teams because SSRF in managed cloud services is frequently an access-boundary break: it can turn “network reachability” into a control-plane or identity-impacting primitive, and it’s easy to miss in threat models when the affected component is “just a service.”
Who is impacted
- Any organization using Azure Databricks (the CVE record is tagged
exclusively-hosted-service).
| Component | Affected versions (per CVE record) | Notes |
|---|---|---|
| Azure Databricks | - | Hosted service advisory (no customer-managed version range in the CVE record). |
What to do now
- Follow vendor remediation guidance and validate your exposure posture using Microsoft’s advisory reference for CVE-2026-33107.
- Treat this as an SSRF-to-privilege-escalation class issue: review Azure Databricks workspace access paths (especially any network paths reachable from untrusted environments) and re-check assumptions about internal-only endpoints.
- If you suspect abuse, review Azure Databricks audit/activity logs for anomalous requests and privilege changes, and rotate any credentials/tokens that would be high-impact if exposed via server-side request routing.
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.