Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Exposure of sensitive information to an unauthorized actor in Azure Entra ID allows an unauthorized attacker to perform spoofing over a network.
AnalysisAI
Spoofing vulnerability in Microsoft Azure Entra ID (formerly Azure Active Directory) enables remote unauthenticated attackers to obtain sensitive authentication information via network-based attacks requiring user interaction. The vulnerability affects Microsoft Enterprise Security Token Service (ESTS), the authentication backbone of Azure Entra ID, with scope change indicating potential cross-domain impact. Microsoft has released a patch per MSRC advisory. CVSS 9.3 (Critical) reflects network accessibility, low complexity, and high confidentiality/integrity impact with changed scope.
Technical ContextAI
The vulnerability resides in Microsoft Enterprise Security Token Service (ESTS), the core authentication and token issuance service for Azure Entra ID (formerly Azure Active Directory). ESTS handles OAuth2/OpenID Connect token generation and validation for Microsoft cloud services. This is a CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) weakness, indicating unauthorized disclosure of data that should be restricted. The CVSS scope change (S:C) suggests the vulnerability crosses security boundaries, potentially allowing attackers to leverage exposed information from ESTS to impact resources beyond the vulnerable component itself, such as downstream relying services trusting Azure Entra ID tokens. Given ESTS's role in enterprise SSO and federation, exposed information likely includes authentication artifacts, tokens, or session data that enable identity spoofing.
RemediationAI
Apply the vendor-released patch immediately via Microsoft Security Response Center (MSRC) update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40379. As Azure Entra ID is a cloud service, Microsoft typically applies security updates transparently without customer action required for the core platform, but verify patch status through the MSRC advisory and ensure any on-premises components (Azure AD Connect, ADFS integration points) are updated if identified in the bulletin. Until patching is confirmed, implement compensating controls: enforce conditional access policies requiring MFA for all Azure Entra ID authentications to add authentication friction beyond the compromised primary factor; enable Azure AD Identity Protection with high-risk sign-in policies to detect anomalous authentication patterns; review and restrict application consent policies to limit potential impact of spoofed identities; monitor Azure AD sign-in logs for unusual token issuance patterns or authentication from unexpected locations. Note that MFA may not fully mitigate if the vulnerability exposes post-authentication tokens, but adds defense-in-depth. These controls increase operational overhead and user friction but provide measurable risk reduction during the patch window.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29655
GHSA-xq38-4286-vwhm