Description
Azure Function Information Disclosure Vulnerability
Published: 2026-02-05
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Assess Impact
AI Analysis

Impact

The vulnerability is a type of information disclosure (CWE-200) in Microsoft Azure Functions. A flaw permits remote actors to access sensitive data that should remain confidential, potentially exposing configuration details, secrets, or other private information. The impact is a breach of confidentiality for affected deployments.

Affected Systems

Microsoft Azure Functions is the product affected. No specific versions are listed, so all current Azure Functions deployments may be vulnerable until Microsoft releases a fix.

Risk and Exploitability

The CVSS score of 8.2 places the issue in the high severity range, while the EPSS score of less than 1% indicates a very low probability of public exploitation at this time. It is not listed in the CISA KEV catalog, which suggests no widespread known exploitation. Based on the description, it is inferred that the likely attack vector involves accessing publicly accessible Azure Function endpoints or management APIs. Until a vendor patch is available, the risk remains significant for any environment that stores or processes confidential data within Azure Functions.

Generated by OpenCVE AI on April 15, 2026 at 18:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the Microsoft update guide and apply any available fix for this CVE as soon as it is released.
  • Enable authentication on function apps, such as Azure Active Directory or function app authentication, to restrict who can invoke the endpoints.
  • Restrict network access by configuring function app firewall rules or IP restrictions so that only trusted networks can reach the functions.
  • Monitor function app logs for any unusual access patterns that could indicate exploitation attempts.

Generated by OpenCVE AI on April 15, 2026 at 18:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:microsoft:azure_functions:-:*:*:*:*:*:*:*

Mon, 09 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Feb 2026 22:30:00 +0000

Type Values Removed Values Added
Description Azure Function Information Disclosure Vulnerability
Title Azure Function Information Disclosure Vulnerability
First Time appeared Microsoft
Microsoft azure Functions
Weaknesses CWE-200
CPEs cpe:2.3:a:microsoft:azure_functions:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft azure Functions
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Azure Functions
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-10T13:21:15.659Z

Reserved: 2025-12-30T18:10:54.847Z

Link: CVE-2026-21532

cve-icon Vulnrichment

Updated: 2026-02-09T19:30:37.694Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-05T23:15:54.317

Modified: 2026-02-12T19:01:06.173

Link: CVE-2026-21532

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T19:00:12Z

Weaknesses