Description
Insufficiently protected credentials in Azure DevOps allows an unauthorized attacker to elevate privileges over a network.
Published: 2026-03-19
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Elevation of Privilege
Action: Immediate Patch
AI Analysis

Impact

An Azure DevOps component dubbed msazure stores credentials in an insufficiently protected manner. This flaw enables an attacker who can reach the system over a network to acquire those credentials and subsequently elevate privileges. The consequence is a compromise of account and the potential to modify or delete data, undermining confidentiality and integrity.

Affected Systems

The vulnerability applies to Microsoft Azure DevOps services, specifically the msazure component referenced by the vendor. No explicit affected version ranges are listed in the CNA data, so administrators cannot rely on version numbers alone and should verify all deployed instances.

Risk and Exploitability

The flaw is rated a high CVSS score of 8.6 and has an EPSS less than 1%, indicating low likelihood of widespread exploitation at present. It is not yet catalogued in CISA’s KEV list. The attack vector is inferred to be network based, allowing an unauthorized remote actor to acquire privileges without local access.

Generated by OpenCVE AI on April 2, 2026 at 03:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest security update for Azure DevOps msazure as published by Microsoft

Generated by OpenCVE AI on April 2, 2026 at 03:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:microsoft:azure_devops:-:*:*:*:*:*:*:*

Mon, 23 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft azure Devops
Vendors & Products Microsoft azure Devops

Thu, 19 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Description Insufficiently protected credentials in Azure DevOps allows an unauthorized attacker to elevate privileges over a network.
Title Azure DevOps: msazure Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft azure Devops Msazure
Weaknesses CWE-522
CPEs cpe:2.3:a:microsoft:azure_devops_msazure:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft azure Devops Msazure
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Azure Devops Azure Devops Msazure
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-09T23:25:58.346Z

Reserved: 2026-01-14T16:59:33.463Z

Link: CVE-2026-23658

cve-icon Vulnrichment

Updated: 2026-03-20T17:06:41.955Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T21:16:54.487

Modified: 2026-04-01T15:14:56.417

Link: CVE-2026-23658

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:59:46Z

Weaknesses