Skip to main content

Azure CycleCloud CVE-2026-57969

| EUVDEUVD-2026-43760 HIGH
Missing Authentication for Critical Function (CWE-306)
2026-07-14 microsoft GHSA-5hx7-jrq3-6879
8.8
CVSS 3.1 · Vendor: microsoft
Share

Severity by source

Vendor (microsoft) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
ENISA EUVD
HIGH
qualitative
vuln.today AI
8.8 HIGH

Network-reachable management function with low complexity and no UI; PR:L because an existing low-privilege authenticated foothold is required, and the missing auth check yields full C/I/A compromise.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (microsoft).

CVSS VectorVendor: microsoft

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 17:52 vuln.today
CVE Published
Jul 14, 2026 - 17:05 nvd
HIGH 8.8

DescriptionCVE.org

Missing authentication for critical function in Azure CycleCloud allows an authorized attacker to elevate privileges over a network.

AnalysisAI

Privilege escalation in Microsoft Azure CycleCloud 8.9.1 allows an authorized (low-privileged) attacker to gain elevated privileges over the network by reaching a critical function that lacks an authentication check (CWE-306). Reported by Microsoft with a patch available and rated CVSS 8.8; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege CycleCloud access
Delivery
Reach management service over network
Exploit
Invoke unauthenticated critical function
Execution
Escalate privileges (missing auth check)
Impact
Full control of CycleCloud and HPC clusters

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to already possess low-privileged authenticated access to the Azure CycleCloud instance (CVSS PR:L, 'authorized attacker'), and network reachability to the CycleCloud management service (AV:N); no user interaction is required (UI:N) and attack complexity is low (AC:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, base 8.8) describes a network-reachable, low-complexity attack requiring only low privileges and no user interaction, yielding high impact across confidentiality, integrity, and availability - a strong signal for prioritization. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who holds low-privilege credentials to an Azure CycleCloud 8.9.1 instance - for example a limited cluster user or a compromised service account - sends a network request that directly invokes a privileged management function that fails to check authorization. Because attack complexity is low and no user interaction is needed, the attacker escalates to full control of the CycleCloud instance and the HPC clusters it orchestrates. …
Remediation Apply the vendor patch - Patch available per vendor advisory (Microsoft MSRC): review and follow the update guidance at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-57969 to move Azure CycleCloud off the vulnerable 8.9.1 line to the fixed release; the exact patched version number is not stated in the provided data, so obtain it directly from the MSRC update guide. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all Azure CycleCloud deployments and identify instances running version 8.9.1, categorizing by operational criticality. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57969 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy