Description
Authentication bypass using an alternate path or channel in Microsoft Azure Active Directory B2C allows an unauthorized attacker to elevate privileges over a network.
Published: 2026-05-22
Score: 9.1 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Authentication bypass through an alternate path or channel in Microsoft Azure Active Directory B2C permits an unauthorized attacker to elevate privileges over a network, enabling them to access resources or perform actions beyond their authorized scope. This flaw allows the attacker to gain higher-level permissions without proper verification, potentially compromising sensitive data and services.

Affected Systems

The vulnerability affects Microsoft Entra (Microsoft Entra ID) services that support alternative authentication channels. No specific product versions are listed, implying that any configuration exposing such alternate paths may be susceptible.

Risk and Exploitability

The CVSS score of 9.1 indicates a critical level of severity, and while the EPSS score is not available, the lack of an EPSS value does not diminish the potential impact; the flaw remains exploitable over the network and is not currently listed in the CISA KEV catalog. The attack vector is likely remote, requiring the attacker to access an alternate authentication channel to bypass standard verification checks.

Generated by OpenCVE AI on May 22, 2026 at 23:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest security update for Microsoft Entra ID from the Microsoft Security Response Center.
  • Disable or restrict alternate authentication channels that are not essential, ensuring only trusted paths remain enabled.
  • Enforce multi‑factor authentication for all users interacting with Azure AD B2C and regularly audit authentication logs for anomalous access attempts.

Generated by OpenCVE AI on May 22, 2026 at 23:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 22:30:00 +0000

Type Values Removed Values Added
Description Authentication bypass using an alternate path or channel in Microsoft Azure Active Directory B2C allows an unauthorized attacker to elevate privileges over a network.
Title Microsoft Azure Active Directory B2C Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft microsoft Entra Id
Weaknesses CWE-288
CPEs cpe:2.3:a:microsoft:microsoft_entra_id:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft microsoft Entra Id
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Microsoft Microsoft Entra Id
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-05-22T22:03:10.460Z

Reserved: 2026-03-24T00:52:01.354Z

Link: CVE-2026-33843

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-23T00:00:04Z

Weaknesses