{"vulnerability": "CVE-2026-26171", "sightings": [{"uuid": "a55caa93-53c0-4e4d-b5b4-aa5d35354a8a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-26171", "type": "seen", "source": "https://advisories.ncsc.nl/advisory?id=NCSC-2026-0114", "content": "", "creation_timestamp": "2026-04-14T12:18:58.000000Z"}, {"uuid": "05ef1018-7ecb-41a7-865b-931a0b68ada8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-26171", "type": "seen", "source": "Telegram/wMbMg2IIpe8qhH2P3K3O8ZiALd1adi8IR8v6NfGdxJbbfVA", "content": "", "creation_timestamp": "2026-04-14T20:06:26.000000Z"}, {"uuid": "28553378-84c7-446e-9cc8-376aa6523189", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-26171", "type": "seen", "source": "https://www.thezdi.com/blog/2026/4/14/the-april-2026-security-update-review", "content": "", "creation_timestamp": "2026-04-14T15:49:19.000000Z"}, {"uuid": "714b4601-9c80-4daf-b06b-405fb92a5c71", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-26171", "type": "seen", "source": "https://bsky.app/profile/o2cloud.bsky.social/post/3mjjzzj3vhr2r", "content": "", "creation_timestamp": "2026-04-15T13:50:18.353223Z"}, {"uuid": "2254d8b3-884d-4eb5-bad1-9d60961f3edd", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-26171", "type": "seen", "source": "https://gist.github.com/djlan/cb091b84cae623b2f6b2fef65deb6075", "content": "# PR \u89e3\u91ca: [SECURITY] Bump System.Security.Cryptography.Xml from 8.0.2 to 8.0.3\n\n\u4e3a\u4fee\u590d Component Governance \u62a5\u544a\u7684\u4e24\u4e2a\u9ad8\u5371 CVE\uff08CVE-2026-33116\u3001CVE-2026-26171\uff09\uff0c\u901a\u8fc7 Dependabot \u5c06 `System.Security.Cryptography.Xml` \u5305\u5347\u7ea7\u5e76\u663e\u5f0f\u9501\u5b9a\u5230 8.0.3 \u7248\u672c\u3002\n\n**PR \u94fe\u63a5**: https://dev.azure.com/msdata/A365/_git/Synapse-NotebookService/pullrequest/2052673\n**\u4f5c\u8005**: Dependabot\n**\u72b6\u6001**: abandoned\uff08\u5df2\u5e9f\u5f03\uff09\n**\u5206\u652f**: `dependabot/nuget/src%2FServices/System.Security.Cryptography.Xml-8.0.3-3433618` \u2192 `master`\n**\u53d8\u66f4\u7edf\u8ba1**: 4 files changed\uff08diff \u4e2d\u5c55\u793a 3 \u4e2a csproj/props \u6587\u4ef6\uff09\n\n## \u76ee\u5f55\n- [\u53d8\u66f4\u6982\u89c8](#\u53d8\u66f4\u6982\u89c8)\n- [\u5f71\u54cd\u5206\u6790](#\u5f71\u54cd\u5206\u6790)\n\n---\n\n## \u53d8\u66f4\u6982\u89c8\n\n### 1. \u96c6\u4e2d\u5305\u7248\u672c\u7ba1\u7406\uff08Central Package Management\uff09\n\n**\u76ee\u7684**: \u5728\u4ed3\u5e93\u6839\u7684\u96c6\u4e2d\u5305\u7248\u672c\u914d\u7f6e\u4e2d\u65b0\u589e `System.Security.Cryptography.Xml` \u7684\u663e\u5f0f\u7248\u672c\u56fa\u5b9a\uff08pin\uff09\uff0c\u5f3a\u5236\u6240\u6709\u9879\u76ee\u5f15\u7528 8.0.3\uff0c\u8986\u76d6\u4efb\u4f55\u6765\u81ea\u4f20\u9012\u4f9d\u8d56\u7684\u65e7\u7248\u672c\uff088.0.2 \u53ca\u66f4\u65e9\uff09\uff0c\u4ece\u800c\u5207\u65ad\u53d7 CVE \u5f71\u54cd\u7684\u7248\u672c\u94fe\u3002\n\n**\u6d89\u53ca\u6587\u4ef6**:\n- [Directory.Packages.props](https://dev.azure.com/msdata/A365/_git/Synapse-NotebookService/pullrequest/2052673?path=/Directory.Packages.props&amp;_a=files) \u2014 \u4ed3\u5e93\u7ea7 NuGet \u4e2d\u592e\u5305\u7248\u672c\u58f0\u660e\u6587\u4ef6\n\n**\u5173\u952e\u53d8\u66f4**:\n1. **\u65b0\u589e PackageVersion \u6761\u76ee**: \u5728 `` \u7684 System.* \u5305\u5217\u8868\u4e2d\uff08\u4f4d\u4e8e `System.Runtime.Extensions` \u4e0e `System.Text.Json` \u4e4b\u95f4\uff09\u65b0\u589e ``\u3002\u8fd9\u662f\u4ed3\u5e93\u542f\u7528\u4e86 Central Package Management\uff08CPM\uff09\u7684\u6807\u5fd7\u6027\u505a\u6cd5\u2014\u2014\u7248\u672c\u53ea\u5728\u6b64\u5904\u5b9a\u4e49\u4e00\u6b21\uff0c\u5b50\u9879\u76ee\u4ec5\u58f0\u660e\u5f15\u7528\u3001\u4e0d\u5199\u7248\u672c\u53f7\uff0c\u4fdd\u8bc1\u5168\u4ed3\u4e00\u81f4\u6027\u3002\n2. **\u4e3a\u4ec0\u4e48\u9700\u8981\u663e\u5f0f\u58f0\u660e**: \u8be5\u5305\u6b64\u524d\u5e76\u672a\u5728\u4ed3\u5e93\u4ee3\u7801\u91cc\u88ab\u76f4\u63a5\u5f15\u7528\uff0c\u800c\u662f\u901a\u8fc7 .NET 8 \u8fd0\u884c\u65f6\u6216\u5176\u4ed6 NuGet \u5305\u95f4\u63a5\u4f20\u9012\u8fdb\u6765\u7684\u3002CVE \u516c\u544a\u901a\u5e38\u8981\u6c42\"\u63d0\u5347\u5230\u56fa\u5b9a\u7248\u672c\"\uff0c\u4ec5\u9760\u4f20\u9012\u4f9d\u8d56\u65e0\u6cd5\u4fdd\u8bc1\u8fd8\u539f\u56fe\u6700\u7ec8\u9009\u51fa 8.0.3\uff0c\u56e0\u6b64\u5fc5\u987b\u628a\u5b83\"\u63d0\u5230\u9876\u5c42\"\u663e\u5f0f pin \u4f4f\u3002\n\n[\u2191 \u8fd4\u56de\u76ee\u5f55](#\u76ee\u5f55)\n\n---\n\n### 2. \u53d7\u5f71\u54cd\u5b50\u9879\u76ee\u6dfb\u52a0\u663e\u5f0f PackageReference\n\n**\u76ee\u7684**: \u5728\u4e24\u4e2a\u6700\u53ef\u80fd\u5f15\u5165\u6b64\u4f20\u9012\u4f9d\u8d56\u7684\u670d\u52a1/\u5de5\u5177\u9879\u76ee\u4e2d\u663e\u5f0f\u58f0\u660e\u5bf9 `System.Security.Cryptography.Xml` \u7684\u5f15\u7528\u3002\u7ed3\u5408\u4e0a\u4e00\u8282\u7684\u4e2d\u592e\u7248\u672c\u56fa\u5b9a\uff0c\u53ef\u4ee5\u786e\u4fdd NuGet \u8fd8\u539f\u7b97\u6cd5\u5728\u8fd9\u4e9b\u9879\u76ee\u7684\u4f9d\u8d56\u95ed\u5305\u5185\u4e00\u5b9a\u4f7f\u7528 8.0.3\uff0c\u800c\u4e0d\u4f1a\u88ab\u5176\u4ed6\u95f4\u63a5\u4f9d\u8d56\u56de\u9000\u5230 8.0.2\u3002\n\n**\u6d89\u53ca\u6587\u4ef6**:\n- [src/Services/SynapseNotebookService.Infrastructure/SynapseNotebookService.Infrastructure.csproj](https://dev.azure.com/msdata/A365/_git/Synapse-NotebookService/pullrequest/2052673?path=/src/Services/SynapseNotebookService.Infrastructure/SynapseNotebookService.Infrastructure.csproj&amp;_a=files) \u2014 \u57fa\u7840\u8bbe\u65bd\u5c42\u9879\u76ee\uff0c\u627f\u8f7d\u4e86\u5927\u91cf\u7b2c\u4e09\u65b9\u5305\uff08Newtonsoft.Json\u3001Stubble.Core\u3001WireMock.Net\u3001Yarp.ReverseProxy \u7b49\uff09\uff0c\u662f XML \u5b89\u5168\u6808\u4f20\u9012\u4f9d\u8d56\u7684\u9ad8\u53d1\u70b9\n- [src/Services/SynapseNotebookService.NotebookCopilot.Tools/SynapseNotebookService.NotebookCopilot.Tools.csproj](https://dev.azure.com/msdata/A365/_git/Synapse-NotebookService/pullrequest/2052673?path=/src/Services/SynapseNotebookService.NotebookCopilot.Tools/SynapseNotebookService.NotebookCopilot.Tools.csproj&amp;_a=files) \u2014 Notebook Copilot \u5de5\u5177\u9879\u76ee\uff0c\u4f9d\u8d56 `Microsoft.Identity.ServerAuthorization` \u7b49\u8eab\u4efd\u8ba4\u8bc1\u7c7b\u5e93\uff0c\u95f4\u63a5\u5f15\u5165\u4e86 SAML/XML \u7b7e\u540d\u76f8\u5173\u7ec4\u4ef6\n\n**\u5173\u952e\u53d8\u66f4**:\n1. **\u6dfb\u52a0\u65e0\u7248\u672c\u53f7\u7684 PackageReference**: \u4e24\u4e2a csproj \u5404\u81ea\u5728\u5df2\u6709\u7684 `` \u4e2d\u8ffd\u52a0 ``\uff0c\u4e0e CPM \u6a21\u5f0f\u4fdd\u6301\u4e00\u81f4\u2014\u2014\u7248\u672c\u7531 `Directory.Packages.props` \u7edf\u4e00\u88c1\u51b3\u3002\n2. **\u4e3a\u4ec0\u4e48\u662f\u8fd9\u4e24\u4e2a\u9879\u76ee**: Dependabot \u7684\u626b\u63cf\u5668\u4f1a\u53cd\u63a8\u51fa\u54ea\u4e9b\u9879\u76ee\u7684\u8fd8\u539f\u56fe\u91cc\u5305\u542b\u53d7\u5f71\u54cd\u7684 8.0.2 \u7248\u672c\uff1bInfrastructure \u9879\u76ee\u91cc\u7684 `Microsoft.Identity.*` / `WireMock.Net` \u7cfb\u5217\uff0c\u4ee5\u53ca NotebookCopilot.Tools \u4e2d\u7684 `Microsoft.Identity.ServerAuthorization`\uff0c\u90fd\u662f\u4f1a\u62d6\u5165 `System.Security.Cryptography.Xml` \u7684\u5178\u578b\u4e0a\u6e38\u3002\u4ec5\u4fee\u6539\u8fd9\u4e24\u4e2a\u9879\u76ee\u5373\u53ef\u8986\u76d6\u51fa\u73b0\u8be5 CVE \u7684\u6240\u6709\u8fd8\u539f\u94fe\u3002\n3. **\u7f29\u8fdb\u98ce\u683c\u7684\u5c0f\u7455\u75b5**: \u65b0\u589e\u7684 `` \u884c\u4f7f\u7528\u4e86\u7a7a\u683c\u7f29\u8fdb\u800c\u975e\u8be5\u6587\u4ef6\u5176\u5b83\u884c\u7684 Tab \u7f29\u8fdb\uff0c\u5c5e\u4e8e\u7eaf\u6837\u5f0f\u95ee\u9898\uff0c\u4e0d\u5f71\u54cd\u6784\u5efa\u3002\n\n[\u2191 \u8fd4\u56de\u76ee\u5f55](#\u76ee\u5f55)\n\n---\n\n## \u5f71\u54cd\u5206\u6790\n\n- **\u5f71\u54cd\u8303\u56f4**:\n  - \u4ed3\u5e93\u5185\u6240\u6709\u5f15\u7528 `Directory.Packages.props` \u7684\u9879\u76ee\uff08\u5373\u6574\u4e2a solution\uff09\u5728\u8fd8\u539f\u65f6\u4f1a\u628a `System.Security.Cryptography.Xml` \u9501\u5b9a\u5230 8.0.3\u3002\n  - \u8fd0\u884c\u65f6\u5c42\u9762\u4ec5\u5f71\u54cd XML \u52a0\u89e3\u5bc6 / XML \u6570\u5b57\u7b7e\u540d\uff08XMLDSig\uff09\u76f8\u5173\u4ee3\u7801\u8def\u5f84\u2014\u2014\u4e3b\u8981\u7531 SAML \u4ee4\u724c\u6821\u9a8c\u3001WS-Federation\u3001SOAP \u7b7e\u540d\u7b49\u573a\u666f\u95f4\u63a5\u89e6\u53d1\uff1b\u672c\u4ed3\u5e93\u4ee3\u7801\u5927\u6982\u7387\u4e0d\u76f4\u63a5\u8c03\u7528\u8be5 API\uff0c\u5f71\u54cd\u4e3b\u8981\u5728\u4f9d\u8d56\u7684\u8eab\u4efd\u8ba4\u8bc1\u5e93\u5185\u90e8\u3002\n\n- **\u7528\u6237\u611f\u77e5**: \u65e0\u76f4\u63a5\u7684\u529f\u80fd\u6216 UI \u53d8\u5316\u3002\u4ec5\u5b89\u5168\u8865\u4e01\uff0c\u4e0d\u5f15\u5165\u65b0\u884c\u4e3a\u3002\n\n- **\u98ce\u9669\u70b9**:\n  1. **PR \u72b6\u6001\u4e3a abandoned**: \u8be5 PR \u5df2\u88ab\u5e9f\u5f03\uff0c\u610f\u5473\u7740\u6b64\u4fee\u590d**\u5e76\u672a\u901a\u8fc7\u6b64 PR \u5408\u5165** `master`\u3002\u9700\u8981\u786e\u8ba4\u5b89\u5168\u4fee\u590d\u662f\u901a\u8fc7\u5176\u5b83 PR\u3001\u5176\u5b83\u7248\u672c\u53f7\uff08\u4f8b\u5982\u76f4\u63a5\u5347\u7ea7\u5230\u66f4\u9ad8 8.x \u6216\u8fc1\u79fb\u5230 .NET 9 \u81ea\u5e26\u7684\u7248\u672c\uff09\u5b8c\u6210\u7684\uff0c\u8fd8\u662f CG \u544a\u8b66\u4ecd\u7136\u5904\u4e8e\u6253\u5f00\u72b6\u6001\u3002\u82e5\u540e\u8005\uff0c\u5219\u4e24\u6761\u9ad8\u5371 CVE \u4ecd\u672a\u5173\u95ed\uff0c\u9700\u8981\u5c3d\u5feb\u91cd\u65b0\u63d0\u4ea4\u4fee\u590d\u3002\n  2. **CVE \u7f16\u53f7\u7591\u4f3c\u5f02\u5e38**: \u544a\u8b66\u94fe\u63a5\u663e\u793a\u7684\u662f `CVE-2026-33116` \u4e0e `CVE-2026-26171`\uff0c\u5e74\u4efd\u4e3a 2026\u3002\u8fd9\u8981\u4e48\u662f ADO Dependabot \u670d\u52a1\u7684\u5360\u4f4d/\u5185\u90e8\u7f16\u53f7\uff0c\u8981\u4e48\u5bf9\u5e94\u7740\u5c1a\u672a\u516c\u5f00\u7684\u544a\u8b66\uff0c\u5206\u6790\u4e0e\u56de\u6eaf\u5386\u53f2\u65f6\u9700\u6ce8\u610f\u4ee5 CG Alert ID\uff0815428415 / 15428416\uff09\u4e3a\u51c6\u3002\n  3. **\u672a\u5347\u7ea7\u5230\u6700\u65b0\u6b21\u8981\u7248\u672c**: 8.0.3 \u662f .NET 8 LTS \u7ebf\u4e0a\u7684\u8865\u4e01\u7248\u672c\uff1b\u82e5\u540e\u7eed\u53c8\u51fa\u73b0 8.0.4+ \u6216 .NET 9 \u7684\u5bf9\u5e94\u4fee\u590d\uff0c\u672c\u6b21\u7684\u663e\u5f0f pin \u53cd\u800c\u4f1a\"\u963b\u6321\"\u81ea\u52a8\u5347\u7ea7\uff0c\u9700\u8981\u5217\u5165\u4e0b\u4e00\u8f6e\u4f9d\u8d56\u5de1\u68c0\u5173\u6ce8\u9879\u3002\n  4. **\u4f20\u9012\u4f9d\u8d56\u8986\u76d6\u7684\u53ef\u6301\u7eed\u6027**: \u901a\u8fc7\u5728\u4e2d\u592e\u914d\u7f6e + \u4e24\u4e2a\u9879\u76ee\u4e2d\"\u786c\u585e\"\u4e00\u4e2a\u5e76\u672a\u88ab\u4ee3\u7801\u76f4\u63a5\u4f7f\u7528\u7684\u5305\uff0c\u672c\u8d28\u4e0a\u662f\u4f9d\u8d56\u56fe\u6253\u8865\u4e01\u7684\u505a\u6cd5\u3002\u4e00\u65e6\u672a\u6765\u4e0a\u6e38\uff08`Microsoft.Identity.*` \u7b49\uff09\u53d1\u5e03\u4e86\u5df2\u7ecf\u81ea\u5e26\u65b0\u7248\u672c\u7684\u7248\u672c\uff0c\u8fd9\u4e9b\u663e\u5f0f\u58f0\u660e\u4f1a\u53d8\u6210\u65e0\u7528\u4ee3\u7801\uff1b\u5efa\u8bae\u5728\u544a\u8b66\u5173\u95ed\u540e\u56de\u770b\u662f\u5426\u53ef\u79fb\u9664\u663e\u5f0f\u5f15\u7528\uff0c\u907f\u514d\u9057\u7559\u65e0\u610f\u4e49\u7684\u4f9d\u8d56\u3002\n  5. **\u6784\u5efa/\u8fd8\u539f\u884c\u4e3a\u53d8\u5316**: \u542f\u7528\u4e86 CPM \u7684\u4ed3\u5e93\u4e2d\uff0c\u5b50\u9879\u76ee\u82e5\u8bef\u5e26\u7248\u672c\u53f7\u4f1a\u89e6\u53d1 NUGet \u8b66\u544a/\u9519\u8bef\uff1b\u65b0\u589e\u884c\u672a\u5e26\u7248\u672c\u53f7\u662f\u6b63\u786e\u7684\uff0c\u4f46\u8981\u786e\u4fdd CI \u7684 `true` \u8bbe\u7f6e\u4f9d\u7136\u6709\u6548\uff0c\u907f\u514d\u5728\u67d0\u4e9b\u8fb9\u89d2\u9879\u76ee\u4e2d\u89e6\u53d1\u8fd8\u539f\u5931\u8d25\u3002\n\n[\u2191 \u8fd4\u56de\u76ee\u5f55](#\u76ee\u5f55)\n", "creation_timestamp": "2026-05-17T00:01:22.000000Z"}, {"uuid": "1de7e9c9-82f3-4399-bc18-c6c9c4e79f4f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-26171", "type": "seen", "source": "https://gist.github.com/djlan/687e8ace53bfef1053611f182ad17c06", "content": "", "creation_timestamp": "2026-04-30T06:58:47.000000Z"}]}