Microsoft Discloses Critical Azure MCP Server and AKS Authentication Flaws
Microsoft disclosed two high-severity vulnerabilities affecting hosted Azure services: CVE-2026-32211 in Azure MCP Server and CVE-2026-33105 in Azure Kubernetes Service (AKS). The Azure MCP Server issue is an information disclosure flaw tied to missing authentication for a critical function (CWE-306), allowing an unauthenticated attacker to access sensitive information over the network. Its CVSS v3.1 vector, AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, indicates remote exploitation with no privileges or user interaction required.
Microsoft also published CVE-2026-33105, an improper authorization vulnerability in AKS mapped to CWE-285, which could let an unauthenticated attacker elevate privileges remotely. The CVSS v3.1 vector, AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, reflects potential high impact across confidentiality, integrity, and availability. Both entries were identified as affecting exclusively hosted services and point defenders to Microsoft’s MSRC advisories for service-specific remediation and exposure assessment.
Timeline
Apr 3, 2026
Microsoft discloses CVE-2026-26135 affecting Azure Custom Locations RP
On 2026-04-03, Microsoft documented CVE-2026-26135 as a server-side request forgery vulnerability in Azure Custom Locations Resource Provider that could allow an authorized attacker to elevate privileges over a network. The issue is classified as CWE-918, carries a high-severity CVSS v3.1 vector, and references an MSRC advisory for an exclusively hosted service.
Apr 3, 2026
Microsoft discloses CVE-2026-33107 affecting Azure Databricks
On 2026-04-03, Microsoft documented CVE-2026-33107, a server-side request forgery vulnerability in Azure Databricks that could allow an unauthorized attacker to elevate privileges over a network. The issue is classified as CWE-918, carries a high-severity CVSS v3.1 vector, and references an MSRC advisory for the exclusively hosted service.
Apr 3, 2026
Microsoft discloses CVE-2026-33105 affecting Azure Kubernetes Service
On 2026-04-03, Microsoft disclosed CVE-2026-33105 as an improper authorization vulnerability in Microsoft Azure Kubernetes Service that could let an unauthorized attacker elevate privileges remotely. The record maps to CWE-285, carries a high-severity CVSS v3.1 vector, and is tagged as an exclusively hosted service with an MSRC reference.
Apr 3, 2026
Microsoft publishes CVE-2026-32211 for Azure MCP Server
Microsoft received and published CVE-2026-32211 on 2026-04-03, describing a missing authentication flaw in Azure MCP Server that could allow an unauthorized attacker to disclose information over a network. The entry maps the issue to CWE-306, includes a high-impact CVSS v3.1 vector, and references an MSRC advisory.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Sources
1 more from sources like cvefeed high severity
Related Stories
Microsoft Discloses Multiple Critical Cloud and AI Service Vulnerabilities
Microsoft published several **critical** security advisories affecting cloud and AI services, including **Azure Cloud Shell**, **Azure DevOps**, **Azure Data Factory**, **Microsoft Copilot**, **M365 Copilot**, **Microsoft 365 Copilot BizChat**, **Microsoft Bing**, and **Bing Images**. The issues span **elevation of privilege**, **information disclosure**, **tampering**, and **remote code execution**, with listed weakness classes including **SSRF** (`CWE-918`), **insufficiently protected credentials** (`CWE-522`), **sensitive information exposure** (`CWE-200`), and **command injection** (`CWE-77`/`CWE-78`). Several advisories state that the vulnerabilities **require no customer action to resolve**, indicating Microsoft-managed remediation for affected online services. The most severe disclosures include **CVE-2026-32169** in *Azure Cloud Shell* with a **CVSS 10.0** elevation-of-privilege rating, **CVE-2026-32191** in *Microsoft Bing Images* with a **CVSS 9.8** remote code execution rating, and high-impact flaws in *Azure DevOps* (**CVE-2026-23658**), *Azure Data Factory* (**CVE-2026-23659**), and *Microsoft 365 Copilot BizChat* (**CVE-2026-26137**). Separate advisories also cover information disclosure in *Microsoft Copilot* (**CVE-2026-26136**) and *M365 Copilot* (**CVE-2026-24299**), plus a tampering flaw in *Microsoft Bing* (**CVE-2026-26120**). A separate report on the **RegPwn** Windows Registry privilege-escalation bug (**CVE-2026-24291**) describes a different issue in Windows accessibility and Secure Desktop handling and is not part of the same Microsoft cloud-service disclosure set.
1 weeks ago
Microsoft discloses SSRF flaws in Purview, Entra ID, and Dynamics 365 Online
Microsoft published three high-severity cloud-service vulnerabilities affecting **Microsoft Purview eDiscovery**, **Microsoft Entra ID Entitlement Management**, and **Microsoft Dynamics 365 Online**. The flaws are tracked as `CVE-2026-26150`, `CVE-2026-35431`, and `CVE-2026-32210`, and all are classified as **server-side request forgery (SSRF)** under `CWE-918`. Microsoft tagged each issue as affecting an **exclusively hosted service**, indicating exposure in Microsoft-managed online environments rather than on-premises deployments. According to the CVE records, `CVE-2026-26150` could let an unauthorized attacker elevate privileges over a network in Purview eDiscovery, while `CVE-2026-35431` and `CVE-2026-32210` could enable spoofing in Entra ID Entitlement Management and Dynamics 365 Online. The published `CVSS v3.1` vectors show low attack complexity and no required privileges across all three issues, with Entra ID carrying the broadest potential impact to confidentiality, integrity, and availability, and Dynamics 365 requiring user interaction. Microsoft linked the disclosures to its Security Response Center guidance for customer tracking and remediation.
1 weeks ago
Multiple Microsoft Azure Vulnerabilities Enable Privilege Escalation
Germany's dCERT published two advisories covering **multiple vulnerabilities in Microsoft Azure**, with the later notice stating that the flaws can allow **privilege escalation**. The advisories identify Azure as the affected platform but provide no public synopsis, indicating only that several security issues were addressed across the cloud service. The paired notices suggest an evolving disclosure in which Microsoft Azure vulnerabilities were first reported broadly and then updated with a more specific impact assessment tied to elevated privileges. Organizations using Azure should review the corresponding vendor guidance and remediation information for the affected services, prioritize patching, and assess whether exposed identities, roles, or cloud resources could be affected by unauthorized privilege gains.
1 weeks ago