CVE-2026-33117 - Vulnerability Details

- Azure SDK for Java Security Feature Bypass Vulnerability

Description

The Java Key Vault Keys library in the Azure SDK for Java contains an issue in the local cryptographic verification path where authentication tag comparison was implemented incorrectly. In affected applications that use the vulnerable local cryptography path, specially crafted encrypted input may bypass integrity verification checks. Operations delegated to the Key Vault service are not affected. The issue is addressed in version 4.10.6.

Published: 2026-05-12

Score: 9.1 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Azure SDK for Java’s Key Vault Keys library has a flaw in its local cryptographic verification path where authentication tag comparison is performed incorrectly. Applications that rely on that local cryptography path may accept specially crafted encrypted input and bypass integrity verification checks. Notably, calls to the remote Key Vault service remain correctly protected and are not affected by this flaw.

Affected Systems

Microsoft Azure SDK for Java, specifically the Key Vault Keys library. The vulnerability is present in all released versions before 4.10.6; version 4.10.6 and later contain the fix.

Risk and Exploitability

The CVSS score of 9.1 classifies this flaw as critical, indicating a high potential impact. The EPSS score of less than 1% suggests that the probability of exploitation is currently very low. The vulnerability is not yet listed in CISA’s KEV catalog, and no public exploits have been reported. Based on the description, the likely attack vector would be over a network, where an attacker could supply crafted ciphertext to a client application that uses the vulnerable local cryptographic path, causing it to accept tampered data as authentic. The flaw does not affect operations delegated to the Key Vault service.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Microsoft

Azure SDK for Java

affected

Version	Status	Constraints
`1.0.0`	affected	< 4.10.6

Configuration 1 [-]

cpe:2.3:a:microsoft:azure_sdk_for_java:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Microsoft

Azure Sdk For Java

95%

Version	Status	Scheme	Platform
`[1.0.0,4.10.6)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Microsoft Azure SDK for Java to the latest released version that includes the authentication fix.
Implement additional authentication checks at the application level to guard against missing SDK enforcement.
Restrict network traffic to the Azure SDK endpoints, limiting exposure to trusted internal hosts or applying firewall rules.

Generated by OpenCVE AI on May 22, 2026 at 23:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-97jf-46m3-8953	Security feature bypass vulnerability in Azure Key Vault Keys library for Java

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0003.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33117

History

Fri, 22 May 2026 22:30:00 +0000

Type	Values Removed	Values Added
Description	Improper authentication in Azure SDK allows an unauthorized attacker to bypass a security feature over a network.	The Java Key Vault Keys library in the Azure SDK for Java contains an issue in the local cryptographic verification path where authentication tag comparison was implemented incorrectly. In affected applications that use the vulnerable local cryptography path, specially crafted encrypted input may bypass integrity verification checks. Operations delegated to the Key Vault service are not affected. The issue is addressed in version 4.10.6.

Wed, 13 May 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 12 May 2026 17:30:00 +0000

Type	Values Removed	Values Added
Description		Improper authentication in Azure SDK allows an unauthorized attacker to bypass a security feature over a network.
Title		Azure SDK for Java Security Feature Bypass Vulnerability
First Time appeared		Microsoft Microsoft azure Sdk For Java
Weaknesses		CWE-287 CWE-347
CPEs		cpe:2.3:a:microsoft:azure_sdk_for_java::::::::
Vendors & Products		Microsoft Microsoft azure Sdk For Java
References		https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33117
Metrics		cvssV3_1 `{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C'}`

Subscriptions

Microsoft Azure Sdk For Java

MITRE

Status: PUBLISHED

Assigner: microsoft

Published: 2026-05-12T16:58:17.299Z

Updated: 2026-06-05T16:38:27.134Z

Reserved: 2026-03-17T20:15:23.721Z

Link: CVE-2026-33117

Vulnrichment

Updated: 2026-05-13T10:02:50.535Z

NVD

Status : Modified

Published: 2026-05-12T18:17:04.033

Modified: 2026-05-22T23:16:43.150

Link: CVE-2026-33117

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-22T23:30:03Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object