HIGH Patch Available

Cross-Tenant Data Leakage in Azure OpenAI via Flawed Asynchronous Job Handling

Discovered 22 January 2026 0 views

Overview

Security researchers from Wiz discovered a high-severity vulnerability in the Azure OpenAI service's fine-tuning and batch processing APIs. The flaw stemmed from a race condition and improper resource validation in the asynchronous job handling backend. An authenticated attacker in one Azure tenant could submit a fine-tuning job request with a specially crafted resource identifier pointing to a dataset in another tenant's private storage account. Under specific timing conditions, the backend validation service would fail to correctly authorize the cross-tenant data access before the job was queued for processing. This allowed the attacker's fine-tuning job to be trained on the victim's proprietary data. While this did not allow direct reading of the data, the attacker could infer sensitive information by analyzing the resulting fine-tuned model's behavior, outputs, and weights—a technique known as model extraction or data inference. This vulnerability posed a significant risk to enterprises training custom models on trade secrets, financial records, or personal identifiable information (PII). Microsoft's MSRC was notified and promptly patched the backend API, confirming that no evidence of exploitation was found in customer environments.

Affected Systems

Microsoft Azure OpenAI Service

Testing Guide

This vulnerability was in the cloud provider's backend infrastructure and cannot be tested directly by customers. The primary method of verification is to ensure all security best practices for data storage on Azure are being followed. 1. Review the IAM roles and access policies on the Azure Storage Accounts used for AI training data. 2. Confirm that public access is disabled. 3. Verify that network access is restricted to trusted virtual networks.

Mitigation Steps

1. **Vendor Patch:** The vulnerability was patched on the server-side by Microsoft. No customer action is required to fix the specific flaw. 2. **Principle of Least Privilege:** Configure IAM and network policies for storage accounts containing training data to be as restrictive as possible. Use private endpoints and disable public access. 3. **Data Encryption:** Use Customer-Managed Keys (CMK) for data encryption at rest. This provides an additional layer of control, as the service would need explicit permission to use the key. 4. **Monitor Access Logs:** Regularly audit storage account access logs for any anomalous or unexpected access patterns originating from Microsoft services.

Patch Details

The issue was remediated on the Azure backend by Microsoft's security team on 2026-01-23. No customer action is required.

Sources

← Back to vulnerabilities