Skip to content
Threat Feed
high advisory

CVE-2026-41094: Microsoft Data Formulator Code Injection Vulnerability

CVE-2026-41094 is a code injection vulnerability in Microsoft Data Formulator, allowing an unauthorized attacker to execute arbitrary code over a network.

CVE-2026-41094 is a code injection vulnerability affecting Microsoft Data Formulator. According to the NVD and Microsoft’s advisory, an unauthorized attacker can exploit this vulnerability to execute arbitrary code over a network. The vulnerability stems from improper control of code generation within the Data Formulator. Successful exploitation requires network access to the vulnerable Data Formulator instance. Given the high CVSS score (8.8), this vulnerability poses a significant risk, potentially allowing attackers to gain control of affected systems and networks.

Attack Chain

  1. Attacker identifies a vulnerable instance of Microsoft Data Formulator accessible over the network.
  2. The attacker crafts a malicious request containing injected code. This could involve manipulating input fields or parameters processed by the Data Formulator.
  3. The malicious request is sent to the vulnerable Data Formulator instance.
  4. The Data Formulator processes the malicious request, improperly generating code based on the attacker-supplied input.
  5. The injected code is executed within the context of the Data Formulator application.
  6. Depending on the injected code, the attacker can achieve various objectives, such as executing system commands, accessing sensitive data, or establishing a persistent backdoor.
  7. The attacker leverages the executed code to move laterally within the network, potentially compromising other systems.

Impact

Successful exploitation of CVE-2026-41094 allows an attacker to execute arbitrary code on systems running Microsoft Data Formulator. The vulnerability has a CVSS v3.1 score of 8.8, indicating a high severity. This can lead to complete system compromise, data breaches, and potential lateral movement within the network.

Recommendation

  • Apply the security update provided by Microsoft to patch CVE-2026-41094 as soon as possible; reference the advisory URL in the references section.
  • Deploy the Sigma rule “Detect Suspicious Data Formulator Code Injection” to your SIEM to identify potential exploitation attempts based on web requests.
  • Monitor network traffic for suspicious activity targeting Microsoft Data Formulator instances.

Detection coverage 2

Detect Suspicious Data Formulator Code Injection

high

Detects CVE-2026-41094 exploitation - suspicious HTTP requests to Microsoft Data Formulator indicating potential code injection attempts.

sigma tactics: execution techniques: T1059.001 sources: webserver

Detect Data Formulator Process Spawning Suspicious Child Process

medium

Detects suspicious child processes spawned by the Data Formulator process, indicating potential code execution.

sigma tactics: execution techniques: T1059.001 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →