Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Exposure of sensitive information to an unauthorized actor in Azure DevOps allows an unauthorized attacker to disclose information over a network.
AnalysisAI
Unauthorized information disclosure in Azure DevOps allows remote unauthenticated attackers to access sensitive data via network requests and potentially compromise the system with high confidentiality, integrity, and availability impact. The vulnerability carries a maximum CVSS 10.0 score with scope change, indicating cross-boundary impact. Microsoft has released an official patch, and no active exploitation has been reported via CISA KEV at the time of analysis.
Technical ContextAI
This is a CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) vulnerability affecting Microsoft Azure DevOps, a comprehensive DevOps platform providing source control, CI/CD pipelines, artifact repositories, and project management capabilities. The vulnerability exposes sensitive data through improper access controls or information leakage mechanisms accessible over network protocols. The scope change (S:C) in the CVSS vector indicates the vulnerability transcends security boundaries, meaning an attacker could potentially pivot from Azure DevOps to impact resources in different security contexts, such as connected Azure resources, repositories, or downstream systems that trust Azure DevOps authentication tokens or secrets. The perfect 10.0 CVSS score with network vector and no complexity barriers suggests a fundamental flaw in access control or data protection mechanisms within the platform's network-facing components.
RemediationAI
Apply the vendor-released patch immediately by consulting the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42826 for exact update procedures and patched versions. For Azure DevOps Services (cloud), Microsoft typically applies security updates automatically to the service, but administrators should verify their instance has been updated and review any required configuration changes. For Azure DevOps Server (on-premises), download and install the security update package following Microsoft's deployment guidance, which typically requires service restart and may involve brief downtime for the DevOps platform. As an interim compensating control if patching must be delayed, implement network-level restrictions to limit Azure DevOps access to trusted IP ranges via firewall rules or Azure Network Security Groups, though this only reduces attack surface and does not eliminate the vulnerability. Review Azure DevOps audit logs for suspicious access patterns to sensitive repositories, pipelines, or secrets during the exposure window. Rotate any credentials, personal access tokens, and service connection secrets that may have been exposed, prioritizing those with elevated privileges or access to production environments.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28460
GHSA-gmwx-3xm2-9fx8