Skip to main content

Azure Entra ID EUVDEUVD-2026-29655

| CVE-2026-40379 CRITICAL
Information Exposure (CWE-200)
2026-05-12 microsoft GHSA-xq38-4286-vwhm
9.3
CVSS 3.1 · NVD
Temporal: 8.1
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
ENISA EUVD
HIGH
qualitative
CIRCL (temporal)
8.1 HIGH
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 12, 2026 - 18:30 vuln.today
CVE Published
May 12, 2026 - 16:58 nvd
CRITICAL 9.3

DescriptionCVE.org

Exposure of sensitive information to an unauthorized actor in Azure Entra ID allows an unauthorized attacker to perform spoofing over a network.

AnalysisAI

Spoofing vulnerability in Microsoft Azure Entra ID (formerly Azure Active Directory) enables remote unauthenticated attackers to obtain sensitive authentication information via network-based attacks requiring user interaction. The vulnerability affects Microsoft Enterprise Security Token Service (ESTS), the authentication backbone of Azure Entra ID, with scope change indicating potential cross-domain impact. Microsoft has released a patch per MSRC advisory. CVSS 9.3 (Critical) reflects network accessibility, low complexity, and high confidentiality/integrity impact with changed scope.

Technical ContextAI

The vulnerability resides in Microsoft Enterprise Security Token Service (ESTS), the core authentication and token issuance service for Azure Entra ID (formerly Azure Active Directory). ESTS handles OAuth2/OpenID Connect token generation and validation for Microsoft cloud services. This is a CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) weakness, indicating unauthorized disclosure of data that should be restricted. The CVSS scope change (S:C) suggests the vulnerability crosses security boundaries, potentially allowing attackers to leverage exposed information from ESTS to impact resources beyond the vulnerable component itself, such as downstream relying services trusting Azure Entra ID tokens. Given ESTS's role in enterprise SSO and federation, exposed information likely includes authentication artifacts, tokens, or session data that enable identity spoofing.

RemediationAI

Apply the vendor-released patch immediately via Microsoft Security Response Center (MSRC) update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40379. As Azure Entra ID is a cloud service, Microsoft typically applies security updates transparently without customer action required for the core platform, but verify patch status through the MSRC advisory and ensure any on-premises components (Azure AD Connect, ADFS integration points) are updated if identified in the bulletin. Until patching is confirmed, implement compensating controls: enforce conditional access policies requiring MFA for all Azure Entra ID authentications to add authentication friction beyond the compromised primary factor; enable Azure AD Identity Protection with high-risk sign-in policies to detect anomalous authentication patterns; review and restrict application consent policies to limit potential impact of spoofed identities; monitor Azure AD sign-in logs for unusual token issuance patterns or authentication from unexpected locations. Note that MFA may not fully mitigate if the vulnerability exposes post-authentication tokens, but adds defense-in-depth. These controls increase operational overhead and user friction but provide measurable risk reduction during the patch window.

Share

EUVD-2026-29655 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy