Skip to main content

Azure SDK for Java CVE-2026-33117

| EUVDEUVD-2026-29578 CRITICAL
Improper Authentication (CWE-287)
2026-05-12 microsoft GHSA-97jf-46m3-8953
9.1
CVSS 3.1 · NVD
Temporal: 7.9
Share

Severity by source

NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
ENISA EUVD
HIGH
qualitative
CIRCL (temporal)
7.9 HIGH
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 12, 2026 - 18:31 vuln.today
CVE Published
May 12, 2026 - 16:58 nvd
CRITICAL 9.1

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 12 maven packages depend on com.azure:azure-security-keyvault-keys (4 direct, 8 indirect)

Ecosystem-wide dependent count for version 4.10.6.

DescriptionCVE.org

Improper authentication in Azure SDK allows an unauthorized attacker to bypass a security feature over a network.

AnalysisAI

Authentication bypass in Microsoft Azure SDK for Java allows remote unauthenticated attackers to circumvent security controls over the network without user interaction. The vulnerability exposes confidentiality and integrity of Azure services to unauthorized access, with confirmed vendor patch available. CVSS 9.1 reflects critical network-based exploitation against default configurations, though no active exploitation (CISA KEV) or public POC has been identified at time of analysis.

Technical ContextAI

This vulnerability affects Microsoft Azure SDK for Java (cpe:2.3:a:microsoft:azure_sdk_for_java), a client library enabling Java applications to interact with Azure cloud services. The root cause is CWE-287 (Improper Authentication), indicating flawed implementation of authentication mechanisms within the SDK. Rather than failing to implement authentication entirely, the SDK likely contains logic errors in credential validation, token verification, or authentication state management that can be manipulated to bypass intended access controls. This class of vulnerability typically manifests in middleware or client library code where authentication decisions are made before passing requests to backend Azure services, allowing attackers to craft requests that incorrectly pass authentication checks.

RemediationAI

Update to the patched version of Azure SDK for Java specified in Microsoft's official security advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33117. Microsoft has released a vendor patch addressing the authentication bypass. Organizations should identify all Java applications and services using Azure SDK dependencies, update SDK libraries to the fixed version through dependency management tools (Maven, Gradle), and redeploy affected applications. Until patching is complete, implement compensating controls: restrict network access to Azure-connected Java applications using firewall rules or network segmentation to limit exposure to trusted IP ranges only; enable Azure Active Directory Conditional Access policies requiring additional authentication factors beyond SDK-level auth; implement application-layer request validation and logging to detect anomalous authentication patterns; and monitor Azure Activity Logs for unauthorized access attempts to resources typically accessed by affected applications. Note that network restrictions may impact legitimate remote users, and additional auth layers may require application code changes depending on SDK usage patterns.

Share

CVE-2026-33117 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy