Cross-Tenant Data Leakage in Azure OpenAI Service via API Cache Poisoning
Overview
Cloud security firm Wiz discovered a critical vulnerability in the Azure OpenAI Service's backend infrastructure that could lead to cross-tenant data leakage. The flaw resided in a shared caching layer responsible for storing and retrieving token embeddings for popular prompts to optimize performance and reduce latency. Researchers found that by sending a series of malformed API requests with a specific hash collision-inducing payload, an attacker could poison the cache entry for a common prompt. When another user from a different tenant submitted a request containing that same common prompt, the service would incorrectly retrieve the attacker's poisoned cache entry. This entry contained not just the expected embeddings but also fragments of metadata and response data from the attacker's previous session. While the direct leakage was limited to small data fragments, the researchers demonstrated a method to chain these leaks together to reconstruct sensitive information from other tenants' sessions, including personally identifiable information (PII) and proprietary business logic embedded in prompts. The root cause was a failure to properly key cache entries with a unique tenant identifier, allowing data from one tenant to be served to another. Microsoft addressed the issue server-side after a responsible disclosure process, requiring no action from customers.
Affected Systems
Testing Guide
1. **Confirmation from Vendor**: The vulnerability was patched server-side by Microsoft and is no longer reproducible. Verification relies on the security advisory and post-incident report issued by Microsoft. 2. **Log Review**: As a historical check, organizations could review logs from the affected period for any API responses containing anomalous or unexpected data fragments that did not correlate with their prompts.
Mitigation Steps
1. **Vendor Patch**: This vulnerability was patched server-side by Microsoft. No customer action is required to fix the specific flaw. 2. **Data Loss Prevention (DLP)**: Implement strict DLP policies to monitor and block the exfiltration of sensitive data patterns in API responses, providing a defense-in-depth. 3. **Principle of Least Privilege**: Ensure that applications using the AI service have the minimum required permissions and do not have access to data beyond their immediate scope. 4. **Audit and Logging**: Regularly audit logs for anomalous API response patterns or unexpected data in model outputs.
Patch Details
A server-side patch was deployed by Microsoft globally on March 23, 2026. No client-side action is required.