The Missing Link credited by Microsoft for discovery of high-severity Power BI vulnerability (CVE-2026-21229)

The Missing Link today announced that Microsoft has credited the company’s Application Security Manager, Jack Misiura, for identifying and responsibly disclosing CVE-2026-21229, a Power BI Remote Code Execution (RCE) vulnerability.

In Microsoft’s advisory (released 10 February 2026), the issue is described as improper input validation that could allow an authorised attacker to execute code over a network. Microsoft assigns a CVSS v3.1 base score of 8.0 (High), while categorising the vulnerability’s maximum severity as Important.

Microsoft also states that, at the time of publication, the vulnerability was not publicly disclosed and had not been exploited, with an exploitability assessment of “Exploitation Unlikely”. Microsoft has issued an official fix and security update guidance for affected customers. Organisations running Power BI Report Server should review Microsoft’s guidance and apply the update promptly.

The discovery also underscores the importance of proactive, research-led offensive security testing in enterprise environments.

The Missing Link maintains an active security research capability that supports its Offensive Security and Red Team engagements across complex enterprise environments. Rather than relying solely on known vulnerabilities, the team applies technical research and adversarial testing methodologies to identify previously undisclosed weaknesses and help organisations test their resilience against sophisticated threat scenarios before real-world exploitation occurs.

“Power BI sits close to the data organisations rely on for operational and financial decisions,” said Jack Misiura, Application Security Manager at The Missing Link. “A vulnerability of this class can create a pathway to unauthorised code execution in affected environments - which, depending on configuration and access controls, may increase the risk of service disruption, data exposure, or the integrity of reporting being undermined. Coordinated disclosure helps ensure fixes are available before issues are widely misused – and we would like to thank Microsoft for their timely response to our reporting.”

Sam Marshall, Chief Technical Security Officer at The Missing Link, said organisations should treat high-severity vendor advisories as an operational trigger. “A CVSS score doesn’t mean an attack is underway; it signals potential impact if the right conditions exist,” Marshall said. “The practical response is straightforward: confirm where the affected software is deployed, apply the official fix, and verify remediation through testing and monitoring.”

For non-technical audiences, a CVE (Common Vulnerabilities and Exposures) is a globally recognised identifier for a specific security flaw - essentially a reference number that enables vendors, security teams and organisations to track the same issue consistently and coordinate response.

The Missing Link is an authorised CVE Numbering Authority (CNA), part of a limited global community entrusted to support consistent vulnerability reporting and coordinated disclosure. Microsoft’s acknowledgement reflects The Missing Link’s capability to identify and responsibly disclose security issues in widely deployed enterprise technologies.

A related update and guidance has been published via The Missing Link’s Security Advisories page. 

Further information is available via Microsoft’s official advisory page.