Skip to main content

Azure DevOps CVE-2026-42826

| EUVDEUVD-2026-28460 CRITICAL
Information Exposure (CWE-200)
2026-05-07 microsoft GHSA-gmwx-3xm2-9fx8
10.0
CVSS 3.1 · NVD
Temporal: 8.7
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
ENISA EUVD
HIGH
qualitative
CIRCL (temporal)
8.7 HIGH
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 07, 2026 - 22:03 vuln.today
CVE Published
May 07, 2026 - 20:59 nvd
CRITICAL 10.0

DescriptionCVE.org

Exposure of sensitive information to an unauthorized actor in Azure DevOps allows an unauthorized attacker to disclose information over a network.

AnalysisAI

Unauthorized information disclosure in Azure DevOps allows remote unauthenticated attackers to access sensitive data via network requests and potentially compromise the system with high confidentiality, integrity, and availability impact. The vulnerability carries a maximum CVSS 10.0 score with scope change, indicating cross-boundary impact. Microsoft has released an official patch, and no active exploitation has been reported via CISA KEV at the time of analysis.

Technical ContextAI

This is a CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) vulnerability affecting Microsoft Azure DevOps, a comprehensive DevOps platform providing source control, CI/CD pipelines, artifact repositories, and project management capabilities. The vulnerability exposes sensitive data through improper access controls or information leakage mechanisms accessible over network protocols. The scope change (S:C) in the CVSS vector indicates the vulnerability transcends security boundaries, meaning an attacker could potentially pivot from Azure DevOps to impact resources in different security contexts, such as connected Azure resources, repositories, or downstream systems that trust Azure DevOps authentication tokens or secrets. The perfect 10.0 CVSS score with network vector and no complexity barriers suggests a fundamental flaw in access control or data protection mechanisms within the platform's network-facing components.

RemediationAI

Apply the vendor-released patch immediately by consulting the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42826 for exact update procedures and patched versions. For Azure DevOps Services (cloud), Microsoft typically applies security updates automatically to the service, but administrators should verify their instance has been updated and review any required configuration changes. For Azure DevOps Server (on-premises), download and install the security update package following Microsoft's deployment guidance, which typically requires service restart and may involve brief downtime for the DevOps platform. As an interim compensating control if patching must be delayed, implement network-level restrictions to limit Azure DevOps access to trusted IP ranges via firewall rules or Azure Network Security Groups, though this only reduces attack surface and does not eliminate the vulnerability. Review Azure DevOps audit logs for suspicious access patterns to sensitive repositories, pipelines, or secrets during the exposure window. Rotate any credentials, personal access tokens, and service connection secrets that may have been exposed, prioritizing those with elevated privileges or access to production environments.

Share

CVE-2026-42826 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy