RCE vulnerability discovered in Microsoft Power BI

The Missing Link has announced that Microsoft has credited the company’s Application Security Manager, Jack Misiura, for identifying and responsibly disclosing CVE‍-‍2026‍-‍21229, a Power BI Remote Code Execution (RCE) vulnerability.

In Microsoft’s advisory (released 10 February 2026), the issue is described as improper input validation that could allow an authorised attacker to execute code over a network. Microsoft assigns a CVSS v3.1 base score of 8.0 (High), while categorising the vulnerability’s maximum severity as Important.

Microsoft also states that, at the time of publication, the vulnerability was not publicly disclosed and had not been exploited, with an exploitability assessment of ‘Exploitation Unlikely’. Microsoft has issued an official fix and security update guidance for affected customers. Organisations running Power BI Report Server should review Microsoft’s guidance and apply the update promptly.

The discovery also underscores the importance of proactive, research-led offensive security testing in enterprise environments.

“Power BI sits close to the data organisations rely on for operational and financial decisions,” said Jack Misiura, Application Security Manager at The Missing Link. “A vulnerability of this class can create a pathway to unauthorised code execution in affected environments, which depending on configuration and access controls, may increase the risk of service disruption, data exposure or the integrity of reporting being undermined. Coordinated disclosure helps ensure fixes are available before issues are widely misused — and we would like to thank Microsoft for their timely response to our reporting.”

Sam Marshall, Chief Technical Security Officer at The Missing Link, said organisations should treat high-severity vendor advisories as an operational trigger.

“A CVSS score doesn’t mean an attack is underway; it signals potential impact if the right conditions exist,” he said. “The practical response is straightforward: confirm where the affected software is deployed, apply the official fix, and verify remediation through testing and monitoring.”

A related update and guidance has been published via The Missing Link’s Security Advisories page.

Further information is available via Microsoft’s official advisory page.

Image credit: iStock.com/sankai