Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Improper input validation in Azure Compute Gallery allows an authorized attacker to disclose information over a network.
AnalysisAI
Information disclosure in Microsoft Azure Compute Gallery permits an authenticated remote attacker to read sensitive data across tenant or resource boundaries due to improper input validation (CWE-20). The scope-changed CVSS 7.7 rating reflects cross-boundary impact, but the exploit maturity is currently unproven (E:U) and no public exploit identified at time of analysis. Microsoft has published an official fix via MSRC.
Technical ContextAI
Azure Compute Gallery (formerly Shared Image Gallery) is a Microsoft Azure service for managing, sharing, and replicating VM images, application packages, and other compute artifacts across subscriptions and regions; the affected CPE points specifically at Azure Stack HCI integration, the hybrid on-premises Azure platform that consumes gallery artifacts. CWE-20 (Improper Input Validation) at the gallery's network-facing interface means user-supplied parameters are not validated rigorously before being used to resolve or return resource data, enabling an authorized caller to coax the service into emitting information from contexts it should not have access to. The CVSS Scope:Changed designation reinforces that the impact crosses the vulnerable component's authorization boundary - typical of multi-tenant cloud control-plane bugs.
RemediationAI
Patch available per vendor advisory - apply the Microsoft update referenced in MSRC at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26147 to remediate. For Azure Compute Gallery itself, Microsoft typically mitigates server-side without customer action; for Azure Stack HCI deployments, apply the corresponding cumulative or security update package as detailed in the MSRC entry. As compensating controls until patching is complete, restrict gallery-related RBAC roles (Compute Gallery Sharing Admin, Reader on gallery resources) to the minimum set of principals, audit recent gallery API calls via Azure Activity Log for anomalous read patterns, and require Conditional Access / MFA on identities that hold any gallery permissions - the trade-off is tighter operational friction for legitimate image-publishing workflows.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31516
GHSA-jp7v-xgrx-wqjf