CVE-2026-41104 · Deserialization of untrusted data in Microsoft Planetary Computer Pro

01 · The Real Story

This is less a burning datacenter and more a bad lock on a rented storage unit Microsoft controls

CVE-2026-41104 is a CWE-502 deserialization flaw in Microsoft Planetary Computer Pro, specifically the Azure-hosted GeoCatalog service. The public records describe it as an *exclusively hosted service*, not a customer-managed server package, so there is no normal host-side version range to sweep for; the affected population is tenants that explicitly deployed Planetary Computer Pro GeoCatalog resources in Azure.

Microsoft scored it 10.0 CRITICAL, but that label does not survive contact with real-world operations. The product is niche, preview-limited, tenant-scoped, and Microsoft-owned on the patch side; meanwhile NVD's enrichment reframed impact as 7.5 HIGH confidentiality-only, and public telemetry shows no KEV listing, no public exploitation, and no public PoC. For an enterprise patch queue, this is not a fleet emergency; it is a low-priority SaaS exposure review.

"Vendor called it a 10, but for most enterprises this is a narrow SaaS exposure with no customer patch surface"

02 · The Attack Path

4 steps from start to impact.

STEP 01

Find a live GeoCatalog tenant endpoint

The attacker first needs a target actually using Microsoft Planetary Computer Pro. In practice that means identifying a tenant-deployed Microsoft.Orbital/geoCatalogs resource and its catalog URI, then confirming the Azure-hosted service is reachable over the internet. Typical operator tooling would be az, browser recon, or passive endpoint discovery.

Conditions required:

Target organization has deployed Planetary Computer Pro GeoCatalog
Attacker can identify the tenant-specific catalog URI
Service endpoint is reachable from the attacker's network

Where this breaks in practice:

This is a niche Azure geospatial service, not broad enterprise middleware
Deployment requires an Azure subscription and explicit GeoCatalog provisioning
Preview-era region limits and low install base shrink the reachable population

Detection/coverage: Standard vuln scanners have weak coverage here because there is no customer-visible package/version fingerprint to match; Azure inventory and resource enumeration are better than network scanning.

STEP 02

Reach the vulnerable request path with a crafted payload

The published weakness is deserialization of untrusted data, so the weaponized step is a crafted request aimed at whichever backend API path accepts the serialized object. A realistic operator stack would be Burp Suite or curl plus a hand-built payload once the endpoint semantics are understood. The public advisory does not include a request pattern or proof-of-concept, so exploit development would require reverse engineering the API behavior.

Conditions required:

A pre-auth or otherwise reachable API route actually exposes the vulnerable deserialization path
Request format can be inferred from public docs, client traffic, or trial-and-error
Microsoft has not already silently remediated the backend

Where this breaks in practice:

No public PoC, Metasploit module, or exploit write-up was found
Product documentation emphasizes Microsoft Entra ID and RBAC around access
Tenant-specific cloud front ends and service-layer validation may block malformed requests before they hit the vulnerable logic

Detection/coverage: Look for anomalous requests to GeoCatalog/STAC or ingestion-related endpoints, repeated parser errors, unusual 4xx/5xx bursts, and spikes in Azure sign-in or application logs around the service.

STEP 03

Abuse backend deserialization for disclosure

If the vulnerable parser is reachable, the backend could deserialize attacker-controlled data and disclose sensitive information from the service context. The most conservative interpretation is the one NVD took: confidentiality impact is real, but public evidence does not support the vendor's implied full remote compromise storyline. Tooling here is just the exploit payload and response harvesting; there is no public follow-on module chain.

Conditions required:

The exact vulnerable code path is still present in Microsoft's hosted backend
The flaw yields data disclosure rather than only a failed parse
Useful tenant data is exposed through the response or side-channel

Where this breaks in practice:

Public description says information disclosure, not demonstrated tenant takeover or code execution
Blast radius appears bounded to a service tenant, not your whole Windows/Linux fleet
No in-the-wild reporting suggests attackers have operationalized the path

Detection/coverage: Detection is mostly service-log driven: abnormal response sizes, unexpected data egress from GeoCatalog APIs, and request/response patterns inconsistent with normal STAC or ingestion workflows.

STEP 04

Monetize the tenant-scoped access

The practical impact is theft of geospatial datasets, metadata, or related tenant content exposed through the service. That matters to organizations using the platform, but it does not automatically translate into enterprise-wide compromise, domain takeover, or rapid wormable spread. The attacker still has a narrow, product-specific post-exploitation lane.

Conditions required:

Victim tenant stores sensitive or commercially valuable geospatial data in the GeoCatalog
Exposed data is sufficient to create operational or regulatory impact

Where this breaks in practice:

Many enterprises do not run this product at all
Even among users, impact is confined to the GeoCatalog tenancy and attached data workflows
Separate controls around storage, identity, and downstream apps can still limit lateral utility

Detection/coverage: Monitor for unusual read volume, atypical queries, unexpected token use against the service, and downstream access to exported datasets.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No public exploitation evidence found during this assessment; not listed in CISA KEV.
Proof-of-concept availability	No public PoC found in vendor material or broad public search results; no Metasploit or commonly cited GitHub exploit repo surfaced.
EPSS	`0.0031` from the user-provided intel block; that is very low exploit-likelihood signal. Percentile was not authoritatively verified in browsed sources.
KEV status	No; absent from the CISA Known Exploited Vulnerabilities Catalog.
CVSS and interpretation	Microsoft CNA scored it 10.0 / CRITICAL with `AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H`, but NVD enrichment shows 7.5 / HIGH with `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N`, which better matches the published information disclosure description.
Affected population	This is tagged `Exclusively Hosted Service` and tied to Microsoft Planetary Computer Pro GeoCatalog, so the affected set is tenants that deployed the hosted Azure service, not generic Windows or Linux servers.
Fixed versions	No customer-visible fixed version published in the browsed records. For defenders, this looks like a service-side remediation problem owned by Microsoft rather than a package upgrade on your hosts.
Exposure reality	Planetary Computer Pro is a specialized Azure geospatial service that must be explicitly deployed as a GeoCatalog resource; Microsoft docs also state all data is secured via Microsoft Entra ID. That sharply narrows real exposure compared with a mass-deployed edge product.
Scanning / internet telemetry	No published GreyNoise/Shodan/Censys product-specific exposure counts found during this assessment. What is publicly documented is the per-tenant Azure resource model and catalog URI, not broad internet census data.
Disclosure and attribution	Disclosed 2026-05-22. Microsoft is the CNA/source in NVD; no public external researcher credit was visible in the browsed records.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to LOW (2.8/10)

The decisive factor is ownership and reachability: this is an *exclusively hosted Microsoft service* with a small, explicit deployment population, not a customer-managed package spread across your fleet. Even if the flaw is real, the enterprise patch burden is mostly replaced by vendor-side remediation and tenant access review, which collapses its priority in a 10,000-host queue.

HIGH This is a Microsoft-hosted SaaS/service issue rather than a broad customer-host patch item

MEDIUM Real-world exploitability is lower than the vendor's 10.0 label

LOW Exact vulnerable API path and technical exploit mechanics

Why this verdict

Vendor 10.0 is inflated for patch operations because the public description says *information disclosure* while NVD's later enrichment cut it to confidentiality-only 7.5 HIGH.
Attack position is narrower than the CVSS suggests: the attacker needs a live, tenant-specific GeoCatalog deployment in a specialized Azure service. That implies a small exposed population, not a ubiquitous edge footprint.
Modern controls add real friction: Microsoft documentation centers the service on Microsoft Entra ID, RBAC, and explicit GeoCatalog deployment. Even if PR:N is technically true for one endpoint, most real deployments are still identity- and tenant-bounded.
There is no public exploitation heat: no KEV entry, no public PoC, and a very low user-supplied EPSS 0.0031 all push down urgency.
Blast radius is product-scoped: compromise would threaten a Planetary Computer Pro tenant and its data, not hand an attacker instant control of your workstation/server estate.
Customer remediation leverage is limited: because this is an exclusively hosted service, defenders cannot roll a package upgrade across endpoints, which makes this primarily a SaaS assurance and exposure-management item.

Why not higher?

To justify HIGH or CRITICAL here, you would want one of three things: active exploitation, broad deployment, or demonstrated pre-auth tenant-compromise mechanics with clear enterprise-scale blast radius. We have none of those in public evidence. The product is niche, service-hosted, and documented as an Azure resource with Entra-backed access controls, so each prerequisite compounds downward pressure on severity.

Why not lower?

It should not be IGNORE because organizations that actually use Planetary Computer Pro may still have sensitive geospatial data in scope, and the flaw is still remotely reachable in a hosted service. You also need to verify whether Microsoft has remediated the backend and whether your tenant exposure, RBAC assignments, and data sensitivity justify local containment steps.

05 · Compensating Control

What to do — in priority order.

Inventory GeoCatalog usage — Identify whether any subscriptions actually run Microsoft.Orbital/geoCatalogs. Do this now as backlog hygiene for a LOW verdict, because if you do not use the service this drops out of scope immediately.
Review GeoCatalog RBAC — Reduce standing access to GeoCatalog Administrator, Owner, and related roles; keep only named identities and applications that genuinely need access. For a LOW verdict there is no mitigation SLA, so treat this as backlog hygiene rather than emergency change control.
Constrain app identities — Audit service principals and managed identities permitted to call Planetary Computer Pro, and remove stale or over-broad delegated access. This matters because even when the CVE is pre-auth in theory, real abuse often becomes easier in tenants with sloppy identity sprawl; again, LOW means backlog hygiene.
Ask Microsoft for remediation status — Because this is an exclusively hosted service with no customer-visible patched version, confirm through Microsoft support/account channels whether backend remediation is complete for your tenant and whether any post-incident steps are recommended. This is the closest thing to remediation you actually control.
Monitor for unusual catalog access — Enable and retain service, identity, and Azure activity logs around GeoCatalog access, then baseline query/read behavior so abnormal dataset enumeration or bulk reads stand out. For LOW, schedule it as normal control hardening rather than emergency containment.

What doesn't work

Traditional host patch SLAs do not help much here, because there is no customer-managed server package/version to push across endpoints.
A generic network vulnerability scan is weak coverage, because the service is tenant-hosted SaaS and public records do not expose a neat version fingerprint.
EDR on workstations/servers does not materially reduce the core risk; the vulnerable code path is in Microsoft's hosted backend, not your endpoint process tree.

06 · Verification

Crowdsourced verification payload.

Run this from an auditor workstation or CI runner that has the Azure CLI installed and authenticated with at least Reader access across the subscriptions you want to inspect. Invoke it as ./check_cve_2026_41104.sh or ./check_cve_2026_41104.sh <subscription-id>; no target-host access is needed because this CVE is an *exclusively hosted service* and patch state is not visible from the endpoint.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check_cve_2026_41104.sh
# Purpose: Determine whether the current Azure scope uses Microsoft Planetary Computer Pro GeoCatalog.
# Because CVE-2026-41104 is an exclusively hosted service, customer-visible patch state is opaque.
# Output: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN, 3=ERROR

set -euo pipefail

SUBSCRIPTION_OVERRIDE="${1:-}"
FOUND=0
ERRORS=0

if ! command -v az >/dev/null 2>&1; then
  echo "UNKNOWN - Azure CLI ('az') not installed"
  exit 2
fi

if ! az account show >/dev/null 2>&1; then
  echo "UNKNOWN - Azure CLI not authenticated; run 'az login' first"
  exit 2
fi

check_one_subscription() {
  local sub_id="$1"
  local sub_name="$2"

  if ! az account set --subscription "$sub_id" >/dev/null 2>&1; then
    echo "# Failed to select subscription: $sub_name ($sub_id)" >&2
    ERRORS=$((ERRORS+1))
    return
  fi

  local rows
  if ! rows=$(az resource list \
      --resource-type "Microsoft.Orbital/geoCatalogs" \
      --query "[].{name:name,resourceGroup:resourceGroup,location:location,id:id}" \
      -o tsv 2>/dev/null); then
    echo "# Failed to enumerate GeoCatalog resources in: $sub_name ($sub_id)" >&2
    ERRORS=$((ERRORS+1))
    return
  fi

  if [[ -n "${rows}" ]]; then
    FOUND=1
    echo "# Planetary Computer Pro GeoCatalog resources found in subscription: $sub_name ($sub_id)" >&2
    while IFS=$'\t' read -r name rg location id; do
      [[ -z "${name:-}" ]] && continue
      echo "#   name=$name rg=$rg location=$location id=$id" >&2
    done <<< "$rows"
  fi
}

if [[ -n "$SUBSCRIPTION_OVERRIDE" ]]; then
  sub_name=$(az account show --subscription "$SUBSCRIPTION_OVERRIDE" --query name -o tsv 2>/dev/null || echo "$SUBSCRIPTION_OVERRIDE")
  check_one_subscription "$SUBSCRIPTION_OVERRIDE" "$sub_name"
else
  while IFS=$'\t' read -r sub_id sub_name; do
    [[ -z "${sub_id:-}" ]] && continue
    check_one_subscription "$sub_id" "$sub_name"
  done < <(az account list --all --query "[?state=='Enabled'].[id,name]" -o tsv)
fi

if [[ $FOUND -eq 1 ]]; then
  echo "UNKNOWN - GeoCatalog resources exist, but CVE-2026-41104 is a Microsoft-hosted service with no customer-visible patch/version signal. Verify remediation status with Microsoft and review tenant RBAC/logging."
  exit 2
fi

if [[ $ERRORS -gt 0 ]]; then
  echo "UNKNOWN - No GeoCatalog resources found in checked scope, but one or more subscriptions could not be evaluated"
  exit 2
fi

echo "PATCHED - No Microsoft Planetary Computer Pro GeoCatalog resources found in the evaluated Azure scope; CVE-2026-41104 is not applicable here"
exit 0

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, do not put this in the same lane as internet-edge RCEs. Because this is a LOW noisgate call, there is no noisgate mitigation SLA and no noisgate remediation SLA beyond backlog hygiene: first confirm whether your Azure estate even runs any Microsoft.Orbital/geoCatalogs, then ask Microsoft to confirm backend remediation status for any tenants in use, and clean up RBAC/app identities as ordinary backlog work rather than emergency patching.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.