SSRF in Azure OpenAI "On Your Data" Allows Access to Internal Cloud Metadata
Overview
A Server-Side Request Forgery (SSRF) vulnerability was discovered in the data ingestion component of the Azure OpenAI "On Your Data" feature. This feature allows users to connect their own data sources, such as Azure Blob Storage, to ground the LLM's responses. To add a data source via URL, the service makes a request to fetch the specified content. Researchers found that the URL validation logic was insufficient, allowing attackers to specify internal Azure IP addresses, including the Instance Metadata Service (IMDS) endpoint (`169.254.169.254`). By providing a malicious URL pointing to the IMDS, an attacker could trick the Azure OpenAI backend service into making a request to its own metadata endpoint. The response, containing sensitive information such as temporary IAM credentials for the underlying compute instance, would then be ingested as a data source. The attacker could subsequently query the LLM to reveal these credentials, asking a question like "Summarize the content of the document I just uploaded." The LLM, now grounded on the exfiltrated metadata, would return the sensitive credentials in its response. These credentials could then be used by the attacker to pivot and gain unauthorized access to other Azure services and resources within the victim's tenant, leading to a significant cloud security breach.
Affected Systems
Testing Guide
1. This vulnerability was patched on the cloud provider's side and cannot be safely tested by customers. 2. To test your general posture, attempt to configure a data source in a test Azure OpenAI instance using a URL that points to an internal or controlled external server (e.g., a Burp Collaborator domain). 3. Monitor for incoming requests from Microsoft-owned IP ranges. If requests to arbitrary URLs are successful, it could indicate a misconfiguration, though the specific IMDS attack vector has been remediated.
Mitigation Steps
1. **Apply Vendor Patches:** Microsoft has patched this vulnerability on the backend, so no direct user action is required for the specific flaw. Ensure your cloud environment is always up-to-date. 2. **Use Private Endpoints:** When connecting data sources to cloud AI services, use private endpoints and VNet integration instead of public URLs. This restricts network traffic to your virtual network. 3. **Implement Egress Filtering:** On the network level, implement strict egress filtering rules to block unexpected outbound traffic from services, especially to known metadata IPs. 4. **Monitor Cloud Logs:** Regularly monitor Azure activity logs and network flow logs for suspicious requests originating from managed services to internal endpoints.
Patch Details
Microsoft deployed a server-side patch in January 2026 that enforces stricter URL validation and blocks requests to internal IP ranges and the IMDS endpoint.