CVE-2026-23660 - Vulnerability Details

Description

Improper access control in Azure Portal Windows Admin Center allows an authorized attacker to elevate privileges locally.

Published: 2026-03-10

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is an improper access control flaw in the Azure Portal implementation of Windows Admin Center that enables an attacker who already has authorized access to elevate their privileges locally. The flaw leads to a local privilege escalation, potentially granting the attacker administrative rights on the system where the Admin Center is running. This weakness aligns with CWE‑284 (Improper Access Control).

Affected Systems

The affected product is Microsoft Windows Admin Center as accessed through the Azure Portal. Specific affected versions are not listed in the provided data. The Common Platform Enumeration strings indicate the Azure Portal Windows Admin Center and Windows Admin Center products across all versions.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity of the vulnerability, while the EPSS score of less than 1% suggests a low probability of exploitation currently. The vulnerability is not present in the CISA Known Exploited Vulnerabilities catalog. Based on the description, the likely attack vector is an authorized user within the Azure Portal who can exploit the improper access control to gain elevated local privileges. No additional exploitation prerequisites are stated in the available information.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Microsoft

Windows Admin Center in Azure Portal

affected

Version	Status	Constraints
`1.0`	affected	< 2.6.4

Configuration 1 [-]

cpe:2.3:a:microsoft:windows_admin_center:*:*:*:*:*:azure:*:*

No data.

Vendor Product Confidence Versions

Microsoft

Azure Portal Windows Admin Center

90%

Version	Status	Scheme	Platform
`[0,*]`	affected	generic	—

Microsoft

Windows Admin Center In Azure Portal

100%

Version	Status	Scheme	Platform
`[1.0,2.6.4)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Check the Microsoft update guide for CVE‑2026‑23660 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23660) and apply the latest Windows Admin Center update for Azure Portal.
Restrict privileged access to the Azure Portal and Windows Admin Center to only users who require such permissions.
Verify that the access control settings for the Admin Center environment comply with least‑privilege principles and are correctly configured to prevent unauthorized elevation.

Generated by OpenCVE AI on March 18, 2026 at 18:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00045.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23660

History

Wed, 18 Mar 2026 17:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Microsoft windows Admin Center
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:a:microsoft:windows_admin_center::::::azure::*
Vendors & Products		Microsoft windows Admin Center

Wed, 11 Mar 2026 13:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 11 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Microsoft windows Admin Center In Azure Portal
Vendors & Products		Microsoft windows Admin Center In Azure Portal

Tue, 10 Mar 2026 17:30:00 +0000

Type	Values Removed	Values Added
Description		Improper access control in Azure Portal Windows Admin Center allows an authorized attacker to elevate privileges locally.
Title		Windows Admin Center in Azure Portal Elevation of Privilege Vulnerability
First Time appeared		Microsoft Microsoft azure Portal Windows Admin Center
Weaknesses		CWE-284
CPEs		cpe:2.3:a:microsoft:azure_portal_windows_admin_center::::::::
Vendors & Products		Microsoft Microsoft azure Portal Windows Admin Center
References		https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23660
Metrics		cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}`

Subscriptions

Microsoft Azure Portal Windows Admin Center Windows Admin Center Windows Admin Center In Azure Portal

MITRE

Status: PUBLISHED

Assigner: microsoft

Published: 2026-03-10T17:04:33.270Z

Updated: 2026-03-27T22:32:21.775Z

Reserved: 2026-01-14T16:59:33.463Z

Link: CVE-2026-23660

Vulnrichment

Updated: 2026-03-11T13:02:43.899Z

NVD

Status : Analyzed

Published: 2026-03-10T18:18:14.060

Modified: 2026-03-18T17:39:18.910

Link: CVE-2026-23660

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-20T14:31:47Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object