Description
Improper access control in Azure Arc allows an unauthorized attacker to elevate privileges over a network.
Published: 2026-02-05
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

Improper access control in Azure Arc lets an unauthorized attacker gain elevated privileges over the network, allowing unauthorized manipulation of Azure Arc resources. This flaw enables the attacker to bypass defined security boundaries and perform actions that require higher permissions, potentially compromising the confidentiality, integrity, and availability of the affected environment.

Affected Systems

Microsoft Azure Arc is affected. No specific version information is available in the provided data.

Risk and Exploitability

The CVSS score of 8.6 indicates a high severity vulnerability. With an EPSS score of less than 1%, the likelihood of exploitation is low, and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is inferred to be network-based, as the description states the attacker must be able to reach Azure Arc over a network to exploit improper access controls.

Generated by OpenCVE AI on April 15, 2026 at 16:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Azure Arc update released by Microsoft to address the access control flaw.
  • Review Azure Arc role assignments and enforce the principle of least privilege to ensure users have only the permissions necessary for their tasks.
  • If feasible, restrict or isolate network access to Azure Arc management endpoints until the patch is deployed.

Generated by OpenCVE AI on April 15, 2026 at 16:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
Description Azure Arc Elevation of Privilege Vulnerability Improper access control in Azure Arc allows an unauthorized attacker to elevate privileges over a network.

Thu, 12 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:microsoft:azure_arc:-:*:*:*:*:*:*:*

Fri, 06 Feb 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Feb 2026 22:30:00 +0000

Type Values Removed Values Added
Description Azure Arc Elevation of Privilege Vulnerability
Title Azure Arc Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft azure Arc
Weaknesses CWE-284
CPEs cpe:2.3:a:microsoft:azure_arc:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft azure Arc
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Azure Arc
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-10T13:21:38.262Z

Reserved: 2026-01-21T21:28:02.969Z

Link: CVE-2026-24302

cve-icon Vulnrichment

Updated: 2026-02-06T13:44:16.150Z

cve-icon NVD

Status : Modified

Published: 2026-02-05T23:15:54.653

Modified: 2026-04-10T14:16:34.447

Link: CVE-2026-24302

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T18:00:15Z

Weaknesses