VDB

GCVE-110-CLOUD-2025-0045

GCVE-110-CLOUD-2025-0045
Advisory Published
Vulnetix · Advisory published February 26, 2025
Azure iPaaS services, such as Logic Apps, separate the Control Plane (management) from the Data Plane (execution), but a flaw in this model enabled undetectable data harvesting. An attacker with Azure Reader access to workflow run history can silently extract sensitive data from executions, including secrets and API responses. This is possible because execution details are exposed via the Control Plane, bypassing Data Plane access controls. The root cause of this issue is the unintended exposure of runtime data through metadata endpoints, which could allow an attacker to passively collect information without triggering alerts or requiring direct execution privileges.

Affected Products

VendorProductVersionsPlatforms
AzureLogic Apps

Browse GCVE Records

73,734 records in the GCVE database · Updated July 18, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›