VDB
GCVE-110-CLOUD-2025-0045
GCVE-110-CLOUD-2025-0045
Advisory Published
Azure iPaaS services, such as Logic Apps, separate the Control Plane (management) from the Data Plane (execution), but a flaw in this model enabled undetectable data harvesting.
An attacker with Azure Reader access to workflow run history can silently extract sensitive data from executions, including secrets and API responses. This is possible because execution details are exposed via the Control Plane, bypassing Data Plane access controls.
The root cause of this issue is the unintended exposure of runtime data through metadata endpoints, which could allow an attacker to passively collect information without triggering alerts or requiring direct execution privileges.
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| Azure | Logic Apps | — | — |
References
Browse GCVE Records
73,734 records in the GCVE database · Updated July 18, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.