Skip to main content

Microsoft CVE-2026-23658

| EUVDEUVD-2026-13174 HIGH
Insufficiently Protected Credentials (CWE-522)
2026-03-19 secure@microsoft.com
8.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 19, 2026 - 21:30 euvd
EUVD-2026-13174
Analysis Generated
Mar 19, 2026 - 21:30 vuln.today
CVE Published
Mar 19, 2026 - 21:16 nvd
HIGH 8.6

DescriptionCVE.org

Insufficiently protected credentials in Azure DevOps allows an unauthorized attacker to elevate privileges over a network.

AnalysisAI

This vulnerability involves insufficiently protected credentials in Azure DevOps that allows an unauthorized attacker to elevate privileges over a network. The vulnerability affects Azure DevOps versions up to and presents a high-risk authentication bypass issue that could allow attackers to gain unauthorized access with elevated privileges. With a CVSS score of 8.6 and no exploitation complexity barriers, this represents a critical security risk for organizations using affected Azure DevOps instances.

Technical ContextAI

The vulnerability is classified as CWE-522 (Insufficiently Protected Credentials), which occurs when an application transmits or stores authentication credentials using an insecure method that could allow unauthorized actors to read or modify them. Azure DevOps is Microsoft's cloud-based DevOps platform that provides version control, reporting, requirements management, project management, automated builds, testing and release management capabilities. The vulnerability specifically affects the credential handling mechanisms within Azure DevOps, potentially exposing authentication tokens, passwords, or other sensitive authentication data that could be intercepted or accessed by unauthorized parties.

RemediationAI

Microsoft's official remediation guidance should be followed via their Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23658. Until an official patch is available and applied, organizations should implement compensating controls including network segmentation to limit access to Azure DevOps instances, enable multi-factor authentication for all accounts, monitor authentication logs for suspicious activity, and rotate any credentials that may have been exposed. Given the authentication bypass nature of this vulnerability, immediate action is recommended to prevent unauthorized access and privilege escalation.

Share

CVE-2026-23658 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy