Description
Improper access control in Azure Resource Manager allows an authorized attacker to elevate privileges over a network.
Published: 2026-01-23
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via Improper Access Control
Action: Immediate Patch
AI Analysis

Impact

This vulnerability arises from improper access control in Microsoft Azure Resource Manager, enabling an attacker who already possesses authorized authentication to elevate their privileges over the network. The flaw effectively allows a user with limited rights to acquire higher-level permissions, potentially granting arbitrary configuration changes, data exfiltration, or denial‑of‑service conditions. The CVSS score of 9.9 indicates catastrophic risk to confidentiality, integrity, and availability if exploited.

Affected Systems

Microsoft Azure Resource Manager is the affected product. No specific version information is provided in the CNA data; therefore all deployments of Azure Resource Manager that have not applied the latest security updates may be susceptible.

Risk and Exploitability

With a CVSS score of 9.9 and an EPSS score below 1%, the likelihood of public exploitation appears low, and the vulnerability is not listed in CISA’s KEV catalog. However, the attack vector is inferred to be a network‑based attack originating from an authenticated account with legitimate access to the ARM API. An attacker would need to abuse the misconfigured permission enforcement to transition from a lower privilege role to a higher one, thereby gaining full control over Azure resources. The danger lies in the potential for broad platform compromise once privileged elevation is achieved.

Generated by OpenCVE AI on April 16, 2026 at 01:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Azure Resource Manager updates from Microsoft to remove the access control flaw.
  • Enforce least‑privilege principles by reviewing and limiting Azure RBAC roles assigned to users and service principals.
  • Segregate management traffic by restricting ARM endpoint access to trusted management networks and applying firewall or network security group rules.

Generated by OpenCVE AI on April 16, 2026 at 01:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 12 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:microsoft:azure_resource_manager:-:*:*:*:*:*:*:*

Fri, 23 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 02:00:00 +0000

Type Values Removed Values Added
Description Improper access control in Azure Resource Manager allows an authorized attacker to elevate privileges over a network.
Title Azure Resource Manager Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft azure Resource Manager
Weaknesses CWE-284
CPEs cpe:2.3:a:microsoft:azure_resource_manager:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft azure Resource Manager
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Azure Resource Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-01T13:49:23.361Z

Reserved: 2026-01-21T21:28:02.969Z

Link: CVE-2026-24304

cve-icon Vulnrichment

Updated: 2026-01-23T19:57:27.603Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-23T02:15:55.547

Modified: 2026-02-12T17:23:04.043

Link: CVE-2026-24304

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T02:00:12Z

Weaknesses