CVE-2026-21226: Azure Core is vulnerable to deserialization of untrusted data

January 13, 2026

Deserialization of untrusted data in Azure Core shared client library for Python allows an authorized attacker to execute code over a network.

References

github.com/Azure/azure-sdk-for-python
github.com/Azure/azure-sdk-for-python/blob/6d2e6431ea0991861640e449e51e894247a7771a/sdk/core/azure-core/CHANGELOG.md
github.com/advisories/GHSA-jm66-cg57-jjv5
msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21226
nvd.nist.gov/vuln/detail/CVE-2026-21226

Code Behaviors & Features

Detect and mitigate CVE-2026-21226 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →