What is the CVSS score of CVE-2026-24306?

CVE-2026-24306 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Azure are affected by CVE-2026-24306?

A critical privilege escalation vulnerability in Azure Front Door exposes any organization using this service to unauthorized account takeover and lateral movement attacks.. A patch is available.

How to fix or mitigate CVE-2026-24306?

Within 24 hours: Inventory all Azure Front Door instances and dependent services; enable enhanced monitoring and alerting for suspicious access patterns. Within 7 days: Implement network segmentation to limit Front Door exposure; review and restrict IAM permissions to least-privilege; enable MFA for all administrative accounts. Within 30 days: Monitor Microsoft security advisories for patch availability; evaluate alternative CDN solutions; conduct penetration testing post-remediation.

Azure CVE-2026-24306

CRITICAL

Improper Access Control (CWE-284)

2026-01-22 secure@microsoft.com

Azure Azure Front Door

9.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

CVE Published

Jan 22, 2026 - 23:15 nvd

CRITICAL 9.8

DescriptionCVE.org

Improper access control in Azure Front Door (AFD) allows an unauthorized attacker to elevate privileges over a network.

AnalysisAI

Azure Front Door has an improper access control vulnerability (CVSS 9.8) allowing unauthorized attackers to elevate privileges through the CDN and WAF infrastructure.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Send unauthenticated network request to Azure Front Door

Exploit

Exploit improper access control in AFD configuration

Execution

Bypass authorization checks

Impact

Gain elevated privileges over target resource

Access

Send unauthenticated network request to Azure Front Door

Exploit

Exploit improper access control in AFD configuration

Execution

Bypass authorization checks

Impact

Gain elevated privileges over target resource

Vulnerability AssessmentAI

Exploitation	No special conditions — remote unauthenticated exploitation against default Azure Front Door configurations with improper access control settings enabled. Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 9.8 — Azure Front Door is a global CDN and WAF service. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker exploits the access control flaw to bypass Azure Front Door's WAF protections, directly accessing origin servers that were assumed to be protected, enabling attacks against backend applications.
Remediation	Apply Microsoft patches. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Azure Front Door instances and dependent services; enable enhanced monitoring and alerting for suspicious access patterns. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-24306 vulnerability details – vuln.today

Back

Azure CVE-2026-24306

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code