Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Improper authorization in Microsoft Azure Kubernetes Service allows an unauthorized attacker to elevate privileges over a network.
AnalysisAI
Microsoft Azure Kubernetes Service (AKS) contains an improper authorization vulnerability enabling unauthenticated remote attackers to elevate privileges over a network with critical impact across confidentiality, integrity, and availability. The CVSS 10.0 critical rating reflects network-accessible exploitation requiring no authentication, low complexity, and scope change allowing compromise beyond the vulnerable component. No public exploit identified at time of analysis, though the authentication bypass nature and maximum severity warrant immediate priority.
Technical ContextAI
This vulnerability stems from CWE-285 (Improper Authorization), indicating a flaw in AKS's access control enforcement mechanisms that fails to properly validate user permissions before granting elevated privileges. Azure Kubernetes Service manages containerized applications through Kubernetes orchestration, where authorization typically flows through Kubernetes RBAC (Role-Based Access Control) and Azure Active Directory integration. The improper authorization allows bypass of these controls, potentially at the API server level, kubelet authentication layer, or Azure control plane interface. Given the Kubernetes multi-tenant architecture, authorization failures can expose cluster-wide resources, workloads, and underlying infrastructure across namespace boundaries.
RemediationAI
Organizations must immediately consult the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33105 for vendor-released patches and specific remediation guidance. Microsoft typically delivers AKS security updates through automatic control plane updates or requires manual cluster upgrades depending on severity and cluster configuration. Until patching is complete, implement compensating controls including restricting AKS API server network access through authorized IP ranges, enabling Azure Private Link for AKS to eliminate public internet exposure, enforcing Azure AD Pod Identity for workload authentication, and conducting immediate audit log review for unauthorized privilege escalation attempts. Monitor AKS audit logs for unusual authentication patterns, unauthorized role binding creation, and abnormal API server access from unexpected source IPs. Given the critical severity and authentication bypass nature, emergency patching outside normal maintenance windows is justified.
More in Kubernetes
View allA critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne
The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4
Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass
Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem
Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref
String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18562
GHSA-q5xq-rvph-wwgr