Description
Exposure of sensitive information to an unauthorized actor in Azure Data Explorer allows an unauthorized attacker to disclose information over a network.
Published: 2026-01-22
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch
AI Analysis

Impact

This vulnerability enables an unauthorized network actor to access sensitive data stored in Azure Data Explorer. The flaw is an information disclosure weakness classified as CWE-200, allowing attackers to read data that should be restricted, thereby compromising confidentiality.

Affected Systems

The affected product is Microsoft Azure Data Explorer. No specific versioning information is provided by the CNA; service administrators should verify whether their deployments have applied the latest update that addresses this issue.

Risk and Exploitability

The CVSS score of 7.4 indicates a high potential impact if the vulnerability is exploited. The EPSS score is less than 1%, suggesting that exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog, so it does not appear to be actively exploited. The likely attack vector is network-based; an adversary would require network access to the Azure Data Explorer instance and may exploit exposed endpoints or misconfigured permissions to gain unauthorized data access.

Generated by OpenCVE AI on April 16, 2026 at 07:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Azure Data Explorer update from Microsoft that resolves CVE-2026-21524.
  • Restrict network access to the Azure Data Explorer service, limiting traffic to trusted IP ranges or secure VNet endpoints.
  • Enable and review data access controls and role‑based access to confirm that only authorized entities can retrieve sensitive information.
  • Monitor audit logs for anomalous data access attempts that could indicate exploitation attempts.

Generated by OpenCVE AI on April 16, 2026 at 07:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 03 Feb 2026 13:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:microsoft:azure_data_explorer:-:*:*:*:*:*:*:*

Fri, 23 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Exposure of sensitive information to an unauthorized actor in Azure Data Explorer allows an unauthorized attacker to disclose information over a network.
Title Azure Data Explorer Information Disclosure Vulnerability
First Time appeared Microsoft
Microsoft azure Data Explorer
Weaknesses CWE-200
CPEs cpe:2.3:a:microsoft:azure_data_explorer:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft azure Data Explorer
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N/E:P/RL:O/RC:C'}

Subscriptions

Microsoft Azure Data Explorer
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-01T13:49:24.473Z

Reserved: 2025-12-30T18:10:54.846Z

Link: CVE-2026-21524

cve-icon Vulnrichment

Updated: 2026-01-23T20:07:47.121Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-22T23:15:57.993

Modified: 2026-02-03T12:47:27.503

Link: CVE-2026-21524

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T07:45:06Z

Weaknesses