Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Insufficiently protected credentials in Azure DevOps allows an unauthorized attacker to elevate privileges over a network.
AnalysisAI
This vulnerability involves insufficiently protected credentials in Azure DevOps that allows an unauthorized attacker to elevate privileges over a network. The vulnerability affects Azure DevOps versions up to and presents a high-risk authentication bypass issue that could allow attackers to gain unauthorized access with elevated privileges. With a CVSS score of 8.6 and no exploitation complexity barriers, this represents a critical security risk for organizations using affected Azure DevOps instances.
Technical ContextAI
The vulnerability is classified as CWE-522 (Insufficiently Protected Credentials), which occurs when an application transmits or stores authentication credentials using an insecure method that could allow unauthorized actors to read or modify them. Azure DevOps is Microsoft's cloud-based DevOps platform that provides version control, reporting, requirements management, project management, automated builds, testing and release management capabilities. The vulnerability specifically affects the credential handling mechanisms within Azure DevOps, potentially exposing authentication tokens, passwords, or other sensitive authentication data that could be intercepted or accessed by unauthorized parties.
RemediationAI
Microsoft's official remediation guidance should be followed via their Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23658. Until an official patch is available and applied, organizations should implement compensating controls including network segmentation to limit access to Azure DevOps instances, enable multi-factor authentication for all accounts, monitor authentication logs for suspicious activity, and rotate any credentials that may have been exposed. Given the authentication bypass nature of this vulnerability, immediate action is recommended to prevent unauthorized access and privilege escalation.
Same weakness CWE-522 – Insufficiently Protected Credentials
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13174