CVE-2026-21229
published 2026-02-10CVE-2026-21229: Improper input validation in Power BI allows an authorized attacker to execute code over a network.
PriorityP263high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.90%
55.2th percentile
Improper input validation in Power BI allows an authorized attacker to execute code over a network.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | power_bi_report_server | < 15.0.1120.113 | 15.0.1120.113 |
| microsoft | power_bi_report_server | >= 1.6.0 < 15.0.1120.113 | 15.0.1120.113 |
| msrc | power_bi_report_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability class is improper input validation in Power BI enabling remote code execution over a network by an authorized/authenticated attacker ↗
- →Attacker gains privileges of the authenticated user upon successful exploitation — monitor for unexpected privilege use or lateral movement originating from Power BI service accounts ↗
- ·Exploit status is currently 'Exploitation Unlikely' with no public exploit or known in-the-wild exploitation at time of publication — prioritize patching accordingly ↗
- ·Customer action is required — patch must be applied manually; refer to Power BI Report Server changelog and the Microsoft download link for the fixed release ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vendor_msrc8.0HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
Power BI Remote Code Execution Vulnerability
vendor_msrc·2026-02-10·CVSS 8.0
CVE-2026-21229 [HIGH] CWE-20 Power BI Remote Code Execution Vulnerability
Power BI Remote Code Execution Vulnerability
Description: Improper input validation in Power BI allows an authorized attacker to execute code over a network.
FAQ: What privileges could be gained by an attacker who successfully exploited the vulnerability?
An attacker who successfully exploited this vulnerability could gain the privileges of the authenticated user.
Power BI: Power BI
Microsoft: Microsoft
Customer Action Required: Yes
Impact: Remote Code Execution
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation Unlikely
Remediation: Release Notes
Reference: https://www.microsoft.com/en-us/download/details.aspx?id=105943
Reference: https://learn.microsoft.com/en-us/power-bi/report-server/changelog
GHSA
GHSA-9h3x-5px3-gfh7: Improper input validation in Power BI allows an authorized attacker to execute code over a network
ghsa_unreviewed·2026-02-10
CVE-2026-21229 [HIGH] CWE-20 GHSA-9h3x-5px3-gfh7: Improper input validation in Power BI allows an authorized attacker to execute code over a network
Improper input validation in Power BI allows an authorized attacker to execute code over a network.
No detection rules found.
No public exploits indexed.
Sophos
February’s Patch Tuesday assumes battle stations
blogs_sophos·2026-02-13
February’s Patch Tuesday assumes battle stations
Akuter Cyberangriff? Fordern Sie Sofort-Hilfe an
Sophos Central
Partner-Portal
Lizenzen & Accounts
Sophos Home
Sophos Central
Sophos-Central-Anmeldung
Sophos KI
Integrationen
Threat Intelligence
Testversion
Endpoint Protection (Next-Gen Antivirus)
EDR – Endpoint Detection and Response
Server Protection
Mobile Security
XDR – Extended Detection and Response
XDR mit Next-Gen SIEM
ITDR – Identity Threat Detection and Response
Next-Gen Firewall (NGFW)
NDR – Network Detection and Response
Netzwerk-Switches
Wireless Access Points
Workspace Protection
Protected Browser
Zero Trust Network Access (ZTNA)
DNS Protection
Email Monitoring System
E-Mail- und Phishing-Schutz
Awareness-Training für Mitarbeitende
Schutz für Cloud Workloads
Cloud Security Posture Management (CSP
Qualys
Microsoft and Adobe Patch Tuesday, February 2026 Security Update Review
blogs_qualys·2026-02-10
Microsoft and Adobe Patch Tuesday, February 2026 Security Update Review
## Table of Contents
Microsoft Patch Tuesday forFebruary2026
Adobe Patches for February 2026
Zero-day Vulnerabilities Patched inFebruaryPatch Tuesday Edition
Critical Severity Vulnerabilities Patched inFebruaryPatch Tuesday Edition
Other Microsoft Vulnerability Highlights
Microsoft Release Summary
Discover and Prioritize Vulnerabilities inVulnerability Management, Detection & Response (VMDR)
Rapid Response with TruRisk Eliminate
Qualys Monthly Webinar Series
Microsoft’s February 2026 Patch Tuesday focuses on closing security gaps that attackers could exploit, reinforcing the importance of timely patching in enterprise environments. Here’s a quick breakdown of what you need to know.
## Microsoft Patch Tuesday for February 2026
This month’s release addresses 61 vulnerabilities, i
Bleepingcomputer
Microsoft February 2026 Patch Tuesday fixes 6 zero-days, 58 flaws
blogs_bleepingcomputer·2026-02-10·CVSS 8.8
[HIGH] Microsoft February 2026 Patch Tuesday fixes 6 zero-days, 58 flaws
## Microsoft February 2026 Patch Tuesday fixes 6 zero-days, 58 flaws
## Lawrence Abrams
25 Elevation of Privilege vulnerabilities
5 Security Feature Bypass vulnerabilities
12 Remote Code Execution vulnerabilities
6 Information Disclosure vulnerabilities
3 Denial of Service vulnerabilities
7 Spoofing vulnerabilities
When BleepingComputer reports on Patch Tuesday security updates, we only count those released by Microsoft today. Therefore, the number of flaws does not include 3 Microsoft Edge flaws fixed earlier this month.
As part of these updates, Microsoft has also begun to roll out updated Secure Boot certificates to replace the original 2011 certificates that are expiring in late June 2026.
"With this update, Windows quality updates include a broad set of targeting data that i
Qualys
Microsoft and Adobe Patch Tuesday, February 2026 Security Update Review | Qualys
blogs_qualys·2026-02-10
Microsoft and Adobe Patch Tuesday, February 2026 Security Update Review | Qualys
#### Table of Contents
- Microsoft Patch Tuesday forFebruary2026
- Adobe Patches for February 2026
- Zero-day Vulnerabilities Patched inFebruaryPatch Tuesday Edition
- Critical Severity Vulnerabilities Patched inFebruaryPatch Tuesday Edition
- Other Microsoft Vulnerability Highlights
- Microsoft Release Summary
- Discover and Prioritize Vulnerabilities inVulnerability Management, Detection & Response (VMDR)
- Rapid Response with TruRisk Eliminate
- Qualys Monthly Webinar Series
Microsoft’s February 2026 Patch Tuesday focuses on closing security gaps that attackers could exploit, reinforcing the importance of timely patching in enterprise environments. Here’s a quick breakdown of what you need to know.
## Microsoft Patch Tuesday for February 2026
This month’s release addresses 61 vulner
Sophos
February’s Patch Tuesday assumes battle stations
blogs_sophos
February’s Patch Tuesday assumes battle stations
Share This
Microsoft on Tuesday released 58 patches affecting 15 product families. Five of the addressed issues, all involving Azure, are considered by Microsoft to be of Critical severity, though only two require urgent attention (more on that below). Fifteen have a CVSS base score of 8.0 or higher, including two with a 9.8 base score. Six are known to be under active exploit in the wild, and three are publicly disclosed (including one not yet known to be under exploit).
At patch time, five CVEs are judged more likely to be exploited in the next 30 days by the company’s estimation, in addition to the six already detected to be so. Various of this month’s issues are amenable to direct detection by Sophos protections, and we include information on those in a table below. The release also
2026-02-10
Published