Skip to main content

Microsoft Entra EUVDEUVD-2026-31519

| CVE-2026-33843 CRITICAL
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-05-22 microsoft GHSA-5gj2-5693-p684
9.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 22, 2026 - 22:45 vuln.today

DescriptionCVE.org

Authentication bypass using an alternate path or channel in Microsoft Azure Active Directory B2C allows an unauthorized attacker to elevate privileges over a network.

AnalysisAI

Authentication bypass in Microsoft Azure Active Directory B2C (now part of Microsoft Entra) allows remote unauthenticated attackers to elevate privileges by reaching protected functionality through an alternate code path. The CVSS 9.1 vector (AV:N/AC:L/PR:N/UI:N) reflects network-reachable exploitation with no privileges and no user interaction, yielding high confidentiality and integrity impact against tenants relying on Azure AD B2C for identity. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the unauthenticated-network profile and Microsoft self-reporting make this a high-priority advisory for any tenant using B2C.

Technical ContextAI

Azure AD B2C is Microsoft's customer-facing identity-as-a-service offering within the Microsoft Entra family, used to handle sign-up, sign-in, and federated identity for consumer applications via OAuth/OIDC and SAML flows. CWE-288 (Authentication Bypass Using an Alternate Path or Channel) describes a class where authentication is enforced on the primary path but a parallel endpoint, protocol handler, or flow variant skips or weakens that enforcement - for example, an unauthenticated administrative or token-issuance endpoint, an unintended SAML/OIDC flow, or a misrouted internal API. The affected CPE 'cpe:2.3:a:microsoft:microsoft_entra' confirms the service-side identity platform is the locus of the flaw rather than any on-premises component, meaning the fix is delivered server-side by Microsoft rather than via customer-installed updates.

RemediationAI

Patch available per vendor advisory: Microsoft has released a fix for Azure AD B2C / Microsoft Entra documented at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33843, and because this is a cloud service the remediation is applied by Microsoft to the platform rather than requiring a customer-installed patch - administrators should consult MSRC to confirm their tenant region and ring is on the fixed service version. Defenders should additionally review B2C sign-in logs and audit logs for anomalous token issuance, unfamiliar application consent grants, and privilege changes since the disclosure window, and rotate any credentials or signing keys that may have been exposed through unauthorized flows. As compensating controls until tenant remediation is confirmed, restrict sensitive B2C-protected applications behind Conditional Access policies that require additional factors or trusted networks (trade-off: may break legitimate customer logins on unmanaged devices), tighten allowed redirect URIs and token lifetimes on B2C applications to shrink the abuse window, and disable any unused B2C user flows or custom policies that expand the attack surface.

Share

EUVD-2026-31519 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy