Vulnerability-Lookup

WID-SEC-W-2026-0370

Vulnerability from csaf_certbund - Published: 2026-02-10 23:00 - Updated: 2026-02-10 23:00

Summary

Microsoft Azure-Produkte: Mehrere Schwachstellen

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Azure ist eine Cloud Computing-Plattform von Microsoft. Microsoft Azure DevOps Server ist eine Plattform für kollaborative Softwareprojekte.

Angriff: Ein Angreifer kann mehrere Schwachstellen in Microsoft Azure und Microsoft Azure DevOps Server ausnutzen, um sich erweiterte Berechtigungen zu verschaffen, beliebigen Code auszuführen – sogar mit Administratorrechten –, Spoofing-Angriffe durchzuführen und vertrauliche Informationen offenzulegen.

Betroffene Betriebssysteme: - Windows

CVE-2026-21228

Affected products

Known affected 8 products

Product	Identifier	Version
Microsoft Azure ARC Microsoft / Azure	`cpe:/a:microsoft:azure:arc`	ARC
Microsoft Azure HDInsight Microsoft / Azure	`cpe:/a:microsoft:azure:hdinsight`	HDInsight
Microsoft Azure Local Microsoft / Azure	`cpe:/a:microsoft:azure:local`	Local
Microsoft Azure DevOps Server 2022 Microsoft / Azure DevOps Server	`cpe:/o:microsoft:azure_devops_server:2022`	2022
Microsoft Azure Front Door Microsoft / Azure	`cpe:/a:microsoft:azure:front_door`	Front Door
Microsoft Azure Functions Microsoft / Azure	`cpe:/a:microsoft:azure:functions`	Functions
Microsoft Azure IoT Explorer Microsoft / Azure	`cpe:/a:microsoft:azure:iot_explorer`	IoT Explorer
Microsoft Azure AI Language Authoring Microsoft / Azure	`cpe:/a:microsoft:azure:ai_language_authoring`	AI Language Authoring

CVE-2026-21512

Affected products

Known affected 8 products

Product	Identifier	Version
Microsoft Azure ARC Microsoft / Azure	`cpe:/a:microsoft:azure:arc`	ARC
Microsoft Azure HDInsight Microsoft / Azure	`cpe:/a:microsoft:azure:hdinsight`	HDInsight
Microsoft Azure Local Microsoft / Azure	`cpe:/a:microsoft:azure:local`	Local
Microsoft Azure DevOps Server 2022 Microsoft / Azure DevOps Server	`cpe:/o:microsoft:azure_devops_server:2022`	2022
Microsoft Azure Front Door Microsoft / Azure	`cpe:/a:microsoft:azure:front_door`	Front Door
Microsoft Azure Functions Microsoft / Azure	`cpe:/a:microsoft:azure:functions`	Functions
Microsoft Azure IoT Explorer Microsoft / Azure	`cpe:/a:microsoft:azure:iot_explorer`	IoT Explorer
Microsoft Azure AI Language Authoring Microsoft / Azure	`cpe:/a:microsoft:azure:ai_language_authoring`	AI Language Authoring

CVE-2026-21522

Affected products

Known affected 8 products

Product	Identifier	Version
Microsoft Azure ARC Microsoft / Azure	`cpe:/a:microsoft:azure:arc`	ARC
Microsoft Azure HDInsight Microsoft / Azure	`cpe:/a:microsoft:azure:hdinsight`	HDInsight
Microsoft Azure Local Microsoft / Azure	`cpe:/a:microsoft:azure:local`	Local
Microsoft Azure DevOps Server 2022 Microsoft / Azure DevOps Server	`cpe:/o:microsoft:azure_devops_server:2022`	2022
Microsoft Azure Front Door Microsoft / Azure	`cpe:/a:microsoft:azure:front_door`	Front Door
Microsoft Azure Functions Microsoft / Azure	`cpe:/a:microsoft:azure:functions`	Functions
Microsoft Azure IoT Explorer Microsoft / Azure	`cpe:/a:microsoft:azure:iot_explorer`	IoT Explorer
Microsoft Azure AI Language Authoring Microsoft / Azure	`cpe:/a:microsoft:azure:ai_language_authoring`	AI Language Authoring

CVE-2026-21528

Affected products

Known affected 8 products

Product	Identifier	Version
Microsoft Azure ARC Microsoft / Azure	`cpe:/a:microsoft:azure:arc`	ARC
Microsoft Azure HDInsight Microsoft / Azure	`cpe:/a:microsoft:azure:hdinsight`	HDInsight
Microsoft Azure Local Microsoft / Azure	`cpe:/a:microsoft:azure:local`	Local
Microsoft Azure DevOps Server 2022 Microsoft / Azure DevOps Server	`cpe:/o:microsoft:azure_devops_server:2022`	2022
Microsoft Azure Front Door Microsoft / Azure	`cpe:/a:microsoft:azure:front_door`	Front Door
Microsoft Azure Functions Microsoft / Azure	`cpe:/a:microsoft:azure:functions`	Functions
Microsoft Azure IoT Explorer Microsoft / Azure	`cpe:/a:microsoft:azure:iot_explorer`	IoT Explorer
Microsoft Azure AI Language Authoring Microsoft / Azure	`cpe:/a:microsoft:azure:ai_language_authoring`	AI Language Authoring

CVE-2026-21529

Affected products

Known affected 8 products

Product	Identifier	Version
Microsoft Azure ARC Microsoft / Azure	`cpe:/a:microsoft:azure:arc`	ARC
Microsoft Azure HDInsight Microsoft / Azure	`cpe:/a:microsoft:azure:hdinsight`	HDInsight
Microsoft Azure Local Microsoft / Azure	`cpe:/a:microsoft:azure:local`	Local
Microsoft Azure DevOps Server 2022 Microsoft / Azure DevOps Server	`cpe:/o:microsoft:azure_devops_server:2022`	2022
Microsoft Azure Front Door Microsoft / Azure	`cpe:/a:microsoft:azure:front_door`	Front Door
Microsoft Azure Functions Microsoft / Azure	`cpe:/a:microsoft:azure:functions`	Functions
Microsoft Azure IoT Explorer Microsoft / Azure	`cpe:/a:microsoft:azure:iot_explorer`	IoT Explorer
Microsoft Azure AI Language Authoring Microsoft / Azure	`cpe:/a:microsoft:azure:ai_language_authoring`	AI Language Authoring

CVE-2026-21531

Affected products

Known affected 8 products

Product	Identifier	Version
Microsoft Azure ARC Microsoft / Azure	`cpe:/a:microsoft:azure:arc`	ARC
Microsoft Azure HDInsight Microsoft / Azure	`cpe:/a:microsoft:azure:hdinsight`	HDInsight
Microsoft Azure Local Microsoft / Azure	`cpe:/a:microsoft:azure:local`	Local
Microsoft Azure DevOps Server 2022 Microsoft / Azure DevOps Server	`cpe:/o:microsoft:azure_devops_server:2022`	2022
Microsoft Azure Front Door Microsoft / Azure	`cpe:/a:microsoft:azure:front_door`	Front Door
Microsoft Azure Functions Microsoft / Azure	`cpe:/a:microsoft:azure:functions`	Functions
Microsoft Azure IoT Explorer Microsoft / Azure	`cpe:/a:microsoft:azure:iot_explorer`	IoT Explorer
Microsoft Azure AI Language Authoring Microsoft / Azure	`cpe:/a:microsoft:azure:ai_language_authoring`	AI Language Authoring

CVE-2026-21532

Affected products

Known affected 8 products

Product	Identifier	Version
Microsoft Azure ARC Microsoft / Azure	`cpe:/a:microsoft:azure:arc`	ARC
Microsoft Azure HDInsight Microsoft / Azure	`cpe:/a:microsoft:azure:hdinsight`	HDInsight
Microsoft Azure Local Microsoft / Azure	`cpe:/a:microsoft:azure:local`	Local
Microsoft Azure DevOps Server 2022 Microsoft / Azure DevOps Server	`cpe:/o:microsoft:azure_devops_server:2022`	2022
Microsoft Azure Front Door Microsoft / Azure	`cpe:/a:microsoft:azure:front_door`	Front Door
Microsoft Azure Functions Microsoft / Azure	`cpe:/a:microsoft:azure:functions`	Functions
Microsoft Azure IoT Explorer Microsoft / Azure	`cpe:/a:microsoft:azure:iot_explorer`	IoT Explorer
Microsoft Azure AI Language Authoring Microsoft / Azure	`cpe:/a:microsoft:azure:ai_language_authoring`	AI Language Authoring

CVE-2026-23655

Affected products

Known affected 8 products

Product	Identifier	Version
Microsoft Azure ARC Microsoft / Azure	`cpe:/a:microsoft:azure:arc`	ARC
Microsoft Azure HDInsight Microsoft / Azure	`cpe:/a:microsoft:azure:hdinsight`	HDInsight
Microsoft Azure Local Microsoft / Azure	`cpe:/a:microsoft:azure:local`	Local
Microsoft Azure DevOps Server 2022 Microsoft / Azure DevOps Server	`cpe:/o:microsoft:azure_devops_server:2022`	2022
Microsoft Azure Front Door Microsoft / Azure	`cpe:/a:microsoft:azure:front_door`	Front Door
Microsoft Azure Functions Microsoft / Azure	`cpe:/a:microsoft:azure:functions`	Functions
Microsoft Azure IoT Explorer Microsoft / Azure	`cpe:/a:microsoft:azure:iot_explorer`	IoT Explorer
Microsoft Azure AI Language Authoring Microsoft / Azure	`cpe:/a:microsoft:azure:ai_language_authoring`	AI Language Authoring

CVE-2026-24300

Affected products

Known affected 8 products

Product	Identifier	Version
Microsoft Azure ARC Microsoft / Azure	`cpe:/a:microsoft:azure:arc`	ARC
Microsoft Azure HDInsight Microsoft / Azure	`cpe:/a:microsoft:azure:hdinsight`	HDInsight
Microsoft Azure Local Microsoft / Azure	`cpe:/a:microsoft:azure:local`	Local
Microsoft Azure DevOps Server 2022 Microsoft / Azure DevOps Server	`cpe:/o:microsoft:azure_devops_server:2022`	2022
Microsoft Azure Front Door Microsoft / Azure	`cpe:/a:microsoft:azure:front_door`	Front Door
Microsoft Azure Functions Microsoft / Azure	`cpe:/a:microsoft:azure:functions`	Functions
Microsoft Azure IoT Explorer Microsoft / Azure	`cpe:/a:microsoft:azure:iot_explorer`	IoT Explorer
Microsoft Azure AI Language Authoring Microsoft / Azure	`cpe:/a:microsoft:azure:ai_language_authoring`	AI Language Authoring

CVE-2026-24302

Affected products

Known affected 8 products

Product	Identifier	Version
Microsoft Azure ARC Microsoft / Azure	`cpe:/a:microsoft:azure:arc`	ARC
Microsoft Azure HDInsight Microsoft / Azure	`cpe:/a:microsoft:azure:hdinsight`	HDInsight
Microsoft Azure Local Microsoft / Azure	`cpe:/a:microsoft:azure:local`	Local
Microsoft Azure DevOps Server 2022 Microsoft / Azure DevOps Server	`cpe:/o:microsoft:azure_devops_server:2022`	2022
Microsoft Azure Front Door Microsoft / Azure	`cpe:/a:microsoft:azure:front_door`	Front Door
Microsoft Azure Functions Microsoft / Azure	`cpe:/a:microsoft:azure:functions`	Functions
Microsoft Azure IoT Explorer Microsoft / Azure	`cpe:/a:microsoft:azure:iot_explorer`	IoT Explorer
Microsoft Azure AI Language Authoring Microsoft / Azure	`cpe:/a:microsoft:azure:ai_language_authoring`	AI Language Authoring

References

3 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://msrc.microsoft.com/update-guide/	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Azure ist eine Cloud Computing-Plattform von Microsoft.\r\nMicrosoft Azure DevOps Server ist eine Plattform f\u00fcr kollaborative Softwareprojekte.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann mehrere Schwachstellen in Microsoft Azure und Microsoft Azure DevOps Server ausnutzen, um sich erweiterte Berechtigungen zu verschaffen, beliebigen Code auszuf\u00fchren \u2013 sogar mit Administratorrechten \u2013, Spoofing-Angriffe durchzuf\u00fchren und vertrauliche Informationen offenzulegen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-0370 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0370.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-0370 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0370"
      },
      {
        "category": "external",
        "summary": "Microsoft Leitfaden f\u00fcr Sicherheitsupdates",
        "url": "https://msrc.microsoft.com/update-guide/"
      }
    ],
    "source_lang": "en-US",
    "title": "Microsoft Azure-Produkte: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-02-10T23:00:00.000+00:00",
      "generator": {
        "date": "2026-02-11T09:37:38.758+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.5.0"
        }
      },
      "id": "WID-SEC-W-2026-0370",
      "initial_release_date": "2026-02-10T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-02-10T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "Functions",
                "product": {
                  "name": "Microsoft Azure Functions",
                  "product_id": "T050702",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:microsoft:azure:functions"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "Front Door",
                "product": {
                  "name": "Microsoft Azure Front Door",
                  "product_id": "T050703",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:microsoft:azure:front_door"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "HDInsight",
                "product": {
                  "name": "Microsoft Azure HDInsight",
                  "product_id": "T050704",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:microsoft:azure:hdinsight"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "ARC",
                "product": {
                  "name": "Microsoft Azure ARC",
                  "product_id": "T050705",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:microsoft:azure:arc"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "Local",
                "product": {
                  "name": "Microsoft Azure Local",
                  "product_id": "T050707",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:microsoft:azure:local"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "AI Language Authoring",
                "product": {
                  "name": "Microsoft Azure AI Language Authoring",
                  "product_id": "T050708",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:microsoft:azure:ai_language_authoring"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "IoT Explorer",
                "product": {
                  "name": "Microsoft Azure IoT Explorer",
                  "product_id": "T050709",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:microsoft:azure:iot_explorer"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Azure"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "2022",
                "product": {
                  "name": "Microsoft Azure DevOps Server 2022",
                  "product_id": "T050706",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:microsoft:azure_devops_server:2022"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Azure DevOps Server"
          }
        ],
        "category": "vendor",
        "name": "Microsoft"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-21228",
      "product_status": {
        "known_affected": [
          "T050705",
          "T050704",
          "T050707",
          "T050706",
          "T050703",
          "T050702",
          "T050709",
          "T050708"
        ]
      },
      "release_date": "2026-02-10T23:00:00.000+00:00",
      "title": "CVE-2026-21228"
    },
    {
      "cve": "CVE-2026-21512",
      "product_status": {
        "known_affected": [
          "T050705",
          "T050704",
          "T050707",
          "T050706",
          "T050703",
          "T050702",
          "T050709",
          "T050708"
        ]
      },
      "release_date": "2026-02-10T23:00:00.000+00:00",
      "title": "CVE-2026-21512"
    },
    {
      "cve": "CVE-2026-21522",
      "product_status": {
        "known_affected": [
          "T050705",
          "T050704",
          "T050707",
          "T050706",
          "T050703",
          "T050702",
          "T050709",
          "T050708"
        ]
      },
      "release_date": "2026-02-10T23:00:00.000+00:00",
      "title": "CVE-2026-21522"
    },
    {
      "cve": "CVE-2026-21528",
      "product_status": {
        "known_affected": [
          "T050705",
          "T050704",
          "T050707",
          "T050706",
          "T050703",
          "T050702",
          "T050709",
          "T050708"
        ]
      },
      "release_date": "2026-02-10T23:00:00.000+00:00",
      "title": "CVE-2026-21528"
    },
    {
      "cve": "CVE-2026-21529",
      "product_status": {
        "known_affected": [
          "T050705",
          "T050704",
          "T050707",
          "T050706",
          "T050703",
          "T050702",
          "T050709",
          "T050708"
        ]
      },
      "release_date": "2026-02-10T23:00:00.000+00:00",
      "title": "CVE-2026-21529"
    },
    {
      "cve": "CVE-2026-21531",
      "product_status": {
        "known_affected": [
          "T050705",
          "T050704",
          "T050707",
          "T050706",
          "T050703",
          "T050702",
          "T050709",
          "T050708"
        ]
      },
      "release_date": "2026-02-10T23:00:00.000+00:00",
      "title": "CVE-2026-21531"
    },
    {
      "cve": "CVE-2026-21532",
      "product_status": {
        "known_affected": [
          "T050705",
          "T050704",
          "T050707",
          "T050706",
          "T050703",
          "T050702",
          "T050709",
          "T050708"
        ]
      },
      "release_date": "2026-02-10T23:00:00.000+00:00",
      "title": "CVE-2026-21532"
    },
    {
      "cve": "CVE-2026-23655",
      "product_status": {
        "known_affected": [
          "T050705",
          "T050704",
          "T050707",
          "T050706",
          "T050703",
          "T050702",
          "T050709",
          "T050708"
        ]
      },
      "release_date": "2026-02-10T23:00:00.000+00:00",
      "title": "CVE-2026-23655"
    },
    {
      "cve": "CVE-2026-24300",
      "product_status": {
        "known_affected": [
          "T050705",
          "T050704",
          "T050707",
          "T050706",
          "T050703",
          "T050702",
          "T050709",
          "T050708"
        ]
      },
      "release_date": "2026-02-10T23:00:00.000+00:00",
      "title": "CVE-2026-24300"
    },
    {
      "cve": "CVE-2026-24302",
      "product_status": {
        "known_affected": [
          "T050705",
          "T050704",
          "T050707",
          "T050706",
          "T050703",
          "T050702",
          "T050709",
          "T050708"
        ]
      },
      "release_date": "2026-02-10T23:00:00.000+00:00",
      "title": "CVE-2026-24302"
    }
  ]
}

CVE-2026-21228 (GCVE-0-2026-21228)

Vulnerability from cvelistv5 – Published: 2026-02-10 17:51 – Updated: 2026-05-11 21:25

Title

Azure Local Remote Code Execution Vulnerability

Summary

Improper certificate validation in Azure Local allows an unauthorized attacker to execute code over a network.

Severity

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-295 - Improper Certificate Validation

Assigner

microsoft

References

1 reference

URL	Tags
https://msrc.microsoft.com/update-guide/vulnerabi…	vendor-advisorypatch

Impacted products

1 product

Vendor	Product	Version
Microsoft	Azure Local	Affected: 1.0.0 , < 2510.0.3002 (custom)

Date Public

2026-02-10 16:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-21228",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-11T04:56:08.120759Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-26T14:44:38.487Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Azure Local",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "2510.0.3002",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:azure_local:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2510.0.3002",
                  "versionStartIncluding": "1.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-02-10T16:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Improper certificate validation in Azure Local allows an unauthorized attacker to execute code over a network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-295",
              "description": "CWE-295: Improper Certificate Validation",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:25:49.316Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Azure Local Remote Code Execution Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21228"
        }
      ],
      "title": "Azure Local Remote Code Execution Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-21228",
    "datePublished": "2026-02-10T17:51:48.818Z",
    "dateReserved": "2025-12-11T21:02:05.733Z",
    "dateUpdated": "2026-05-11T21:25:49.316Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-21512 (GCVE-0-2026-21512)

Vulnerability from cvelistv5 – Published: 2026-02-10 17:51 – Updated: 2026-05-11 21:25

Title

Azure DevOps Server Cross-Site Scripting Vulnerability

Summary

Server-side request forgery (ssrf) in Azure DevOps Server allows an authorized attacker to perform spoofing over a network.

Severity

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-918 - Server-Side Request Forgery (SSRF)

Assigner

microsoft

References

1 reference

URL	Tags
https://msrc.microsoft.com/update-guide/vulnerabi…	vendor-advisorypatch

Impacted products

1 product

Vendor	Product	Version
Microsoft	Azure DevOps Server 2022	Affected: 20230131.0 , < 20260204.3 (custom)

Date Public

2026-02-10 16:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-21512",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-11T15:23:49.008178Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-11T15:24:04.134Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Azure DevOps Server 2022",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "20260204.3",
              "status": "affected",
              "version": "20230131.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:azure_devops_server_2022:*:-:*:*:*:*:*:*",
                  "versionEndExcluding": "20260204.3",
                  "versionStartIncluding": "20230131.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-02-10T16:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Server-side request forgery (ssrf) in Azure DevOps Server allows an authorized attacker to perform spoofing over a network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918: Server-Side Request Forgery (SSRF)",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:25:15.584Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Azure DevOps Server Cross-Site Scripting Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21512"
        }
      ],
      "title": "Azure DevOps Server Cross-Site Scripting Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-21512",
    "datePublished": "2026-02-10T17:51:16.670Z",
    "dateReserved": "2025-12-30T18:10:54.845Z",
    "dateUpdated": "2026-05-11T21:25:15.584Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-21522 (GCVE-0-2026-21522)

Vulnerability from cvelistv5 – Published: 2026-02-10 17:51 – Updated: 2026-05-11 21:25

Title

Microsoft ACI Confidential Containers Elevation of Privilege Vulnerability

Summary

Improper neutralization of special elements used in a command ('command injection') in Azure Compute Gallery allows an authorized attacker to elevate privileges locally.

Severity

6.7 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

Assigner

microsoft

References

1 reference

URL	Tags
https://msrc.microsoft.com/update-guide/vulnerabi…	vendor-advisorypatch

Impacted products

1 product

Vendor	Product	Version
Microsoft	Microsoft ACI Confidential Containers	Affected: 1.0.0 , < 1.2.8 (custom)

Date Public

2026-02-10 16:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-21522",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-11T04:55:41.750380Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-26T14:44:46.504Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Microsoft ACI Confidential Containers",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "1.2.8",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:microsoft_aci_confidential_containers:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "1.2.8",
                  "versionStartIncluding": "1.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-02-10T16:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Improper neutralization of special elements used in a command (\u0027command injection\u0027) in Azure Compute Gallery allows an authorized attacker to elevate privileges locally."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.7,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-77",
              "description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:25:27.651Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft ACI Confidential Containers Elevation of Privilege Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21522"
        }
      ],
      "title": "Microsoft ACI Confidential Containers Elevation of Privilege Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-21522",
    "datePublished": "2026-02-10T17:51:29.618Z",
    "dateReserved": "2025-12-30T18:10:54.846Z",
    "dateUpdated": "2026-05-11T21:25:27.651Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-21528 (GCVE-0-2026-21528)

Vulnerability from cvelistv5 – Published: 2026-02-10 17:51 – Updated: 2026-05-11 21:25

Title

Azure IoT Explorer Information Disclosure Vulnerability

Summary

Binding to an unrestricted ip address in Azure IoT Explorer allows an unauthorized attacker to disclose information over a network.

Severity

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-1327 - Binding to an Unrestricted IP Address

Assigner

microsoft

References

1 reference

URL	Tags
https://msrc.microsoft.com/update-guide/vulnerabi…	vendor-advisorypatch

Impacted products

1 product

Vendor	Product	Version
Microsoft	Azure IoT Explorer	Affected: 1.0.0 , < 0.15.13 (custom)

Date Public

2026-02-10 16:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-21528",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-11T15:34:20.468223Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-25T16:43:35.894Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Azure IoT Explorer",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "0.15.13",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:azure_iot_explorer:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "0.15.13",
                  "versionStartIncluding": "1.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-02-10T16:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Binding to an unrestricted ip address in Azure IoT Explorer allows an unauthorized attacker to disclose information over a network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1327",
              "description": "CWE-1327: Binding to an Unrestricted IP Address",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:25:32.185Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Azure IoT Explorer Information Disclosure Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21528"
        }
      ],
      "title": "Azure IoT Explorer Information Disclosure Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-21528",
    "datePublished": "2026-02-10T17:51:30.773Z",
    "dateReserved": "2025-12-30T18:10:54.847Z",
    "dateUpdated": "2026-05-11T21:25:32.185Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-21529 (GCVE-0-2026-21529)

Vulnerability from cvelistv5 – Published: 2026-02-10 17:51 – Updated: 2026-05-11 21:25

Title

Azure HDInsight Spoofing Vulnerability

Summary

Improper neutralization of input during web page generation ('cross-site scripting') in Azure HDInsights allows an authorized attacker to perform spoofing over a network.

Severity

5.7 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

microsoft

References

1 reference

URL	Tags
https://msrc.microsoft.com/update-guide/vulnerabi…	vendor-advisorypatch

Impacted products

1 product

Vendor	Product	Version
Microsoft	Azure HDInsight	Affected: 1.0 , < 5.1 (custom)

Date Public

2026-02-10 16:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-21529",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-11T15:36:54.717376Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-11T15:38:49.338Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Azure HDInsight",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "5.1",
              "status": "affected",
              "version": "1.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:azure_hdinsights:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.1",
                  "versionStartIncluding": "1.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-02-10T16:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027) in Azure HDInsights allows an authorized attacker to perform spoofing over a network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.7,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:25:34.434Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Azure HDInsight Spoofing Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21529"
        }
      ],
      "title": "Azure HDInsight Spoofing Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-21529",
    "datePublished": "2026-02-10T17:51:33.525Z",
    "dateReserved": "2025-12-30T18:10:54.847Z",
    "dateUpdated": "2026-05-11T21:25:34.434Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-21531 (GCVE-0-2026-21531)

Vulnerability from cvelistv5 – Published: 2026-02-10 17:51 – Updated: 2026-05-11 21:25

Title

Azure SDK for Python Remote Code Execution Vulnerability

Summary

Deserialization of untrusted data in Azure SDK allows an unauthorized attacker to execute code over a network.

Severity

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

SSVC

Exploitation: none Automatable: yes Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-502 - Deserialization of Untrusted Data

Assigner

microsoft

References

1 reference

URL	Tags
https://msrc.microsoft.com/update-guide/vulnerabi…	vendor-advisorypatch

Impacted products

1 product

Vendor	Product	Version
Microsoft	Azure AI Language Authoring	Affected: 1.0.0 , < 1.0.0b4 (custom)

Date Public

2026-02-10 16:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-21531",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-11T04:56:07.295834Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-26T14:44:46.198Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Azure AI Language Authoring",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "1.0.0b4",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:azure_ai_language_authoring:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "1.0.0b4",
                  "versionStartIncluding": "1.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-02-10T16:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Deserialization of untrusted data in Azure SDK allows an unauthorized attacker to execute code over a network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502: Deserialization of Untrusted Data",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:25:32.778Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Azure SDK for Python Remote Code Execution Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21531"
        }
      ],
      "title": "Azure SDK for Python Remote Code Execution Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-21531",
    "datePublished": "2026-02-10T17:51:31.660Z",
    "dateReserved": "2025-12-30T18:10:54.847Z",
    "dateUpdated": "2026-05-11T21:25:32.778Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-21532 (GCVE-0-2026-21532)

Vulnerability from cvelistv5 – Published: 2026-02-05 22:13 – Updated: 2026-05-11 21:25 Exclusively Hosted Service

Title

Azure Function Information Disclosure Vulnerability

Summary

Azure Function Information Disclosure Vulnerability

Severity

8.2 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:C

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Assigner

microsoft

References

1 reference

URL	Tags
https://msrc.microsoft.com/update-guide/vulnerabi…	vendor-advisorypatch

Impacted products

1 product

Vendor	Product	Version
Microsoft	Azure Functions	Affected: -

Date Public

2026-02-05 16:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-21532",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-09T19:30:33.016970Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-09T19:30:41.931Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Azure Functions",
          "vendor": "Microsoft",
          "versions": [
            {
              "status": "affected",
              "version": "-"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:azure_functions:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "-",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-02-05T16:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Azure Function Information Disclosure Vulnerability"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:25:26.964Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Azure Function Information Disclosure Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21532"
        }
      ],
      "tags": [
        "exclusively-hosted-service"
      ],
      "title": "Azure Function Information Disclosure Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-21532",
    "datePublished": "2026-02-05T22:13:24.102Z",
    "dateReserved": "2025-12-30T18:10:54.847Z",
    "dateUpdated": "2026-05-11T21:25:26.964Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-23655 (GCVE-0-2026-23655)

Vulnerability from cvelistv5 – Published: 2026-02-10 17:51 – Updated: 2026-05-11 21:25

Title

Microsoft ACI Confidential Containers Information Disclosure Vulnerability

Summary

Cleartext storage of sensitive information in Azure Compute Gallery allows an authorized attacker to disclose information over a network.

Severity

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-312 - Cleartext Storage of Sensitive Information

Assigner

microsoft

References

1 reference

URL	Tags
https://msrc.microsoft.com/update-guide/vulnerabi…	vendor-advisorypatch

Impacted products

1 product

Vendor	Product	Version
Microsoft	Microsoft ACI Confidential Containers	Affected: 1.0.0 , < 2.12 (custom)

Date Public

2026-02-10 16:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-23655",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-11T15:30:58.201471Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-11T15:31:23.432Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Microsoft ACI Confidential Containers",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "2.12",
              "status": "affected",
              "version": "1.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:microsoft_aci_confidential_containers:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2.12",
                  "versionStartIncluding": "1.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-02-10T16:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Cleartext storage of sensitive information in Azure Compute Gallery allows an authorized attacker to disclose information over a network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-312",
              "description": "CWE-312: Cleartext Storage of Sensitive Information",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:25:23.224Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft ACI Confidential Containers Information Disclosure Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23655"
        }
      ],
      "title": "Microsoft ACI Confidential Containers Information Disclosure Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-23655",
    "datePublished": "2026-02-10T17:51:24.484Z",
    "dateReserved": "2026-01-14T16:59:33.462Z",
    "dateUpdated": "2026-05-11T21:25:23.224Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-24300 (GCVE-0-2026-24300)

Vulnerability from cvelistv5 – Published: 2026-02-05 22:13 – Updated: 2026-05-11 21:25 Exclusively Hosted Service

Title

Azure Front Door Elevation of Privilege Vulnerability

Summary

Azure Front Door Elevation of Privilege Vulnerability

Severity

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

SSVC

Exploitation: none Automatable: yes Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-284 - Improper Access Control

Assigner

microsoft

References

1 reference

URL	Tags
https://msrc.microsoft.com/update-guide/vulnerabi…	vendor-advisorypatch

Impacted products

1 product

Vendor	Product	Version
Microsoft	Azure Front Door	Affected: -

Date Public

2026-02-05 16:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-24300",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-07T04:55:18.475792Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-26T15:04:16.914Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Azure Front Door",
          "vendor": "Microsoft",
          "versions": [
            {
              "status": "affected",
              "version": "-"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:azure_front_door:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "-",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-02-05T16:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Azure Front Door Elevation of Privilege Vulnerability"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284: Improper Access Control",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:25:26.218Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Azure Front Door Elevation of Privilege Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-24300"
        }
      ],
      "tags": [
        "exclusively-hosted-service"
      ],
      "title": "Azure Front Door Elevation of Privilege Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-24300",
    "datePublished": "2026-02-05T22:13:25.676Z",
    "dateReserved": "2026-01-21T21:28:02.969Z",
    "dateUpdated": "2026-05-11T21:25:26.218Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-24302 (GCVE-0-2026-24302)

Vulnerability from cvelistv5 – Published: 2026-02-05 22:13 – Updated: 2026-05-11 21:25 Exclusively Hosted Service

Title

Azure Arc Elevation of Privilege Vulnerability

Summary

Improper access control in Azure Arc allows an unauthorized attacker to elevate privileges over a network.

Severity

8.6 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C

SSVC

Exploitation: none Automatable: yes Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-284 - Improper Access Control

Assigner

microsoft

References

1 reference

URL	Tags
https://msrc.microsoft.com/update-guide/vulnerabi…	vendor-advisorypatch

Impacted products

1 product

Vendor	Product	Version
Microsoft	Azure ARC	Affected: -

Date Public

2026-02-05 16:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-24302",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-07T04:55:19.575905Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-26T15:04:17.183Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Azure ARC",
          "vendor": "Microsoft",
          "versions": [
            {
              "status": "affected",
              "version": "-"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:azure_arc:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "-",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-02-05T16:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Improper access control in Azure Arc allows an unauthorized attacker to elevate privileges over a network."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284: Improper Access Control",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T21:25:52.347Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Azure Arc Elevation of Privilege Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-24302"
        }
      ],
      "tags": [
        "exclusively-hosted-service"
      ],
      "title": "Azure Arc Elevation of Privilege Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-24302",
    "datePublished": "2026-02-05T22:13:22.975Z",
    "dateReserved": "2026-01-21T21:28:02.969Z",
    "dateUpdated": "2026-05-11T21:25:52.347Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2026-0370

CVE-2026-21228 (GCVE-0-2026-21228)

CVE-2026-21512 (GCVE-0-2026-21512)

CVE-2026-21522 (GCVE-0-2026-21522)

CVE-2026-21528 (GCVE-0-2026-21528)

CVE-2026-21529 (GCVE-0-2026-21529)

CVE-2026-21531 (GCVE-0-2026-21531)

CVE-2026-21532 (GCVE-0-2026-21532)

CVE-2026-23655 (GCVE-0-2026-23655)

CVE-2026-24300 (GCVE-0-2026-24300)

CVE-2026-24302 (GCVE-0-2026-24302)

Tags

Sightings

Nomenclature