AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2026-33833: Improper neutralization of special elements in output used by a downstream component ('injection') in Azure Machine Lear

highvulnerability

security

Source: NVD/CVE DatabaseMay 12, 2026CVE-2026-33833

Summary

CVE-2026-33833 is a vulnerability in Azure Machine Learning where special characters in output are not properly filtered before being used by another component, allowing an attacker to perform spoofing (pretending to be someone or something else) over a network. The vulnerability has a CVSS score (a 0-10 severity rating) of 4.0, indicating moderate severity. This type of flaw is known as an injection vulnerability (CWE-74), where untrusted data can be used to manipulate downstream processes.

Vulnerability Details

CVSS Score

8.2(high)

EPSS (30-day exploit probability)

EPSS: 0.0%

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

Attack Vector

network

Attack Complexity

low

Privileges Required

none

User Interaction

required

Disclosure Date

May 12, 2026

Classification

Attack Type

Other

Attack SophisticationModerate

Impact (CIA+S)

integrity

AI Component TargetedInference

Taxonomy References

CWE (Weakness Type)

CWE-74

Affected Vendors

Microsoft

Related Issues

high

CVE-2022-21727: Tensorflow is an Open Source Machine Learning Framework. The implementation of shape inference for `Dequantize` is vulne

Similar attackNVD/CVE Database

high

GHSA-w3hv-x4fp-6h6j: @grackle-ai/server has Missing WebSocket Origin Header Validation

Similar attack

Monthly digest — independent AI security research

Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-33833

First tracked: May 12, 2026 at 08:09 PM

Classified by LLM (prompt v3) · confidence: 75%