Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
2Blast Radius
ecosystem impact- 12 maven packages depend on com.azure:azure-security-keyvault-keys (4 direct, 8 indirect)
Ecosystem-wide dependent count for version 4.10.6.
DescriptionCVE.org
Improper authentication in Azure SDK allows an unauthorized attacker to bypass a security feature over a network.
AnalysisAI
Authentication bypass in Microsoft Azure SDK for Java allows remote unauthenticated attackers to circumvent security controls over the network without user interaction. The vulnerability exposes confidentiality and integrity of Azure services to unauthorized access, with confirmed vendor patch available. CVSS 9.1 reflects critical network-based exploitation against default configurations, though no active exploitation (CISA KEV) or public POC has been identified at time of analysis.
Technical ContextAI
This vulnerability affects Microsoft Azure SDK for Java (cpe:2.3:a:microsoft:azure_sdk_for_java), a client library enabling Java applications to interact with Azure cloud services. The root cause is CWE-287 (Improper Authentication), indicating flawed implementation of authentication mechanisms within the SDK. Rather than failing to implement authentication entirely, the SDK likely contains logic errors in credential validation, token verification, or authentication state management that can be manipulated to bypass intended access controls. This class of vulnerability typically manifests in middleware or client library code where authentication decisions are made before passing requests to backend Azure services, allowing attackers to craft requests that incorrectly pass authentication checks.
RemediationAI
Update to the patched version of Azure SDK for Java specified in Microsoft's official security advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33117. Microsoft has released a vendor patch addressing the authentication bypass. Organizations should identify all Java applications and services using Azure SDK dependencies, update SDK libraries to the fixed version through dependency management tools (Maven, Gradle), and redeploy affected applications. Until patching is complete, implement compensating controls: restrict network access to Azure-connected Java applications using firewall rules or network segmentation to limit exposure to trusted IP ranges only; enable Azure Active Directory Conditional Access policies requiring additional authentication factors beyond SDK-level auth; implement application-layer request validation and logging to detect anomalous authentication patterns; and monitor Azure Activity Logs for unauthorized access attempts to resources typically accessed by affected applications. Note that network restrictions may impact legitimate remote users, and additional auth layers may require application code changes depending on SDK usage patterns.
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29578
GHSA-97jf-46m3-8953