Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
Authentication bypass using an alternate path or channel in Microsoft Azure Active Directory B2C allows an unauthorized attacker to elevate privileges over a network.
AnalysisAI
Authentication bypass in Microsoft Azure Active Directory B2C (now part of Microsoft Entra) allows remote unauthenticated attackers to elevate privileges by reaching protected functionality through an alternate code path. The CVSS 9.1 vector (AV:N/AC:L/PR:N/UI:N) reflects network-reachable exploitation with no privileges and no user interaction, yielding high confidentiality and integrity impact against tenants relying on Azure AD B2C for identity. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the unauthenticated-network profile and Microsoft self-reporting make this a high-priority advisory for any tenant using B2C.
Technical ContextAI
Azure AD B2C is Microsoft's customer-facing identity-as-a-service offering within the Microsoft Entra family, used to handle sign-up, sign-in, and federated identity for consumer applications via OAuth/OIDC and SAML flows. CWE-288 (Authentication Bypass Using an Alternate Path or Channel) describes a class where authentication is enforced on the primary path but a parallel endpoint, protocol handler, or flow variant skips or weakens that enforcement - for example, an unauthenticated administrative or token-issuance endpoint, an unintended SAML/OIDC flow, or a misrouted internal API. The affected CPE 'cpe:2.3:a:microsoft:microsoft_entra' confirms the service-side identity platform is the locus of the flaw rather than any on-premises component, meaning the fix is delivered server-side by Microsoft rather than via customer-installed updates.
RemediationAI
Patch available per vendor advisory: Microsoft has released a fix for Azure AD B2C / Microsoft Entra documented at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33843, and because this is a cloud service the remediation is applied by Microsoft to the platform rather than requiring a customer-installed patch - administrators should consult MSRC to confirm their tenant region and ring is on the fixed service version. Defenders should additionally review B2C sign-in logs and audit logs for anomalous token issuance, unfamiliar application consent grants, and privilege changes since the disclosure window, and rotate any credentials or signing keys that may have been exposed through unauthorized flows. As compensating controls until tenant remediation is confirmed, restrict sensitive B2C-protected applications behind Conditional Access policies that require additional factors or trusted networks (trade-off: may break legitimate customer logins on unmanaged devices), tighten allowed redirect URIs and token lifetimes on B2C applications to shrink the abuse window, and disable any unused B2C user flows or custom policies that expand the attack surface.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31519
GHSA-5gj2-5693-p684