cbcvebase.
CVE-2026-21229
published 2026-02-10

CVE-2026-21229: Improper input validation in Power BI allows an authorized attacker to execute code over a network.

PriorityP263high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.90%
55.2th percentile
Improper input validation in Power BI allows an authorized attacker to execute code over a network.

Affected

3 ranges
VendorProductVersion rangeFixed in
microsoftpower_bi_report_server< 15.0.1120.11315.0.1120.113
microsoftpower_bi_report_server>= 1.6.0 < 15.0.1120.11315.0.1120.113
msrcpower_bi_report_server

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability class is improper input validation in Power BI enabling remote code execution over a network by an authorized/authenticated attacker
  • Attacker gains privileges of the authenticated user upon successful exploitation — monitor for unexpected privilege use or lateral movement originating from Power BI service accounts
  • ·Exploit status is currently 'Exploitation Unlikely' with no public exploit or known in-the-wild exploitation at time of publication — prioritize patching accordingly
  • ·Customer action is required — patch must be applied manually; refer to Power BI Report Server changelog and the Microsoft download link for the fixed release

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vendor_msrc8.0HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.