Skip to main content

Azure Active Directory

5 CVEs product

Monthly

CVE-2026-50653 HIGH PATCH Exploit Unlikely This Week

Denial of service in Microsoft Azure Active Directory (Entra ID) allows a remote unauthenticated attacker to send network traffic that drives affected processing into an infinite loop (CWE-835), exhausting resources and disrupting availability of the identity service. The flaw carries CVSS 7.5 with a high-availability impact, no confidentiality or integrity effect, and no public exploit identified at time of analysis. Microsoft has released a fix, which for this cloud-hosted service is applied server-side by the vendor.

Microsoft Denial Of Service Azure Active Directory
NVD
CVSS 3.1
7.5
EPSS
0.8%
CVE-2026-50652 HIGH PATCH Exploit Unlikely This Week

Denial of service in Microsoft Azure Active Directory (now Entra ID) allows a remote, unauthenticated attacker to disrupt service availability by sending crafted serialized data that triggers unsafe deserialization (CWE-502). The flaw carries a CVSS 7.5 (High) with a fully network-reachable, no-privilege, no-interaction vector, but impact is confined to availability - confidentiality and integrity are not affected. Microsoft has released a fix via MSRC; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Microsoft Deserialization Azure Active Directory
NVD
CVSS 3.1
7.5
EPSS
1.2%
CVE-2026-45480 CRITICAL PATCH NO ACTION HOSTED Monitor

Privilege escalation in Microsoft Azure Active Directory allows unauthenticated remote attackers to bypass authentication controls and gain elevated access across tenant boundaries. With a maximum CVSS score of 10.0 and a scope-changing impact, successful exploitation could compromise identity, access, and resources federated through Azure AD. No public exploit identified at time of analysis, but the trivial attack complexity and network-reachable vector make this a top-priority issue for any organization relying on Azure AD for identity.

Authentication Bypass Microsoft Azure Active Directory
NVD VulDB
CVSS 3.1
10.0
EPSS
0.6%
CVE-2024-21381 MEDIUM PATCH This Month

Microsoft Azure Active Directory B2C Spoofing Vulnerability. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

CSRF Microsoft Azure Active Directory
NVD
CVSS 3.1
6.8
EPSS
0.4%
CVE-2021-42306 HIGH PATCH This Week

An information disclosure vulnerability manifests when a user or an application uploads unprotected private key data as part of an authentication certificate keyCredential on an Azure AD Application. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. This Insufficiently Protected Credentials vulnerability could allow attackers to obtain user credentials due to weak protection mechanisms.

Microsoft Information Disclosure Azure Active Directory Azure Active Site Recovery Azure Automation +1
NVD
CVSS 3.1
8.1
EPSS
3.1%
EPSS 1% CVSS 7.5
HIGH PATCH Exploit Unlikely This Week

Denial of service in Microsoft Azure Active Directory (Entra ID) allows a remote unauthenticated attacker to send network traffic that drives affected processing into an infinite loop (CWE-835), exhausting resources and disrupting availability of the identity service. The flaw carries CVSS 7.5 with a high-availability impact, no confidentiality or integrity effect, and no public exploit identified at time of analysis. Microsoft has released a fix, which for this cloud-hosted service is applied server-side by the vendor.

Microsoft Denial Of Service Azure Active Directory
NVD
EPSS 1% CVSS 7.5
HIGH PATCH Exploit Unlikely This Week

Denial of service in Microsoft Azure Active Directory (now Entra ID) allows a remote, unauthenticated attacker to disrupt service availability by sending crafted serialized data that triggers unsafe deserialization (CWE-502). The flaw carries a CVSS 7.5 (High) with a fully network-reachable, no-privilege, no-interaction vector, but impact is confined to availability - confidentiality and integrity are not affected. Microsoft has released a fix via MSRC; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Microsoft Deserialization Azure Active Directory
NVD
EPSS 1% CVSS 10.0
CRITICAL PATCH NO ACTION HOSTED Monitor

Privilege escalation in Microsoft Azure Active Directory allows unauthenticated remote attackers to bypass authentication controls and gain elevated access across tenant boundaries. With a maximum CVSS score of 10.0 and a scope-changing impact, successful exploitation could compromise identity, access, and resources federated through Azure AD. No public exploit identified at time of analysis, but the trivial attack complexity and network-reachable vector make this a top-priority issue for any organization relying on Azure AD for identity.

Authentication Bypass Microsoft Azure Active Directory
NVD VulDB
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Microsoft Azure Active Directory B2C Spoofing Vulnerability. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

CSRF Microsoft Azure Active Directory
NVD
EPSS 3% CVSS 8.1
HIGH PATCH This Week

An information disclosure vulnerability manifests when a user or an application uploads unprotected private key data as part of an authentication certificate keyCredential on an Azure AD Application. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. This Insufficiently Protected Credentials vulnerability could allow attackers to obtain user credentials due to weak protection mechanisms.

Microsoft Information Disclosure Azure Active Directory +3
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy