Description
Improper access control in Azure Logic Apps allows an authorized attacker to elevate privileges over a network.
Published: 2026-05-12
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper access control in Azure Logic Apps permits an attacker who already possesses authorized credentials to elevate privileges across the network, potentially granting unintended access to resources and services. This flaw represents a classic authorization bypass, where the system fails to enforce the principle of least privilege for users with legitimate access. The attack does not necessarily involve exploit code but can substantially increase the attacker's authority once exploited.

Affected Systems

Microsoft Azure Logic Apps is the affected product. No specific version range is published, implying the vulnerability may exist across all current releases until a patch is applied.

Risk and Exploitability

The CVSS score of 9.9 highlights the high severity of this issue, while the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog, suggesting no publicly known exploits yet, but the need for authorized access means insiders or compromised credentials pose the threat. The likely attack path requires an attacker to log into Azure using valid credentials; from there the flaw can be triggered, resulting in elevation of privileges.

Generated by OpenCVE AI on May 12, 2026 at 19:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Microsoft security update for CVE-2026-42823 to Azure Logic Apps.
  • Revoke or rotate any credentials that were used to perform the elevation and enforce least‑privilege access controls on Logic Apps resources.
  • Audit and restrict privileged Azure role assignments using Azure AD Conditional Access and Azure Policy to prevent unnecessary privilege escalation.

Generated by OpenCVE AI on May 12, 2026 at 19:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 14:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:microsoft:azure_logic_apps:-:*:*:*:*:*:*:*

Tue, 12 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Improper access control in Azure Logic Apps allows an authorized attacker to elevate privileges over a network.
Title Azure Logic Apps Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft azure Logic Apps
Weaknesses CWE-284
CPEs cpe:2.3:a:microsoft:azure_logic_apps:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft azure Logic Apps
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Azure Logic Apps
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-09T18:09:12.266Z

Reserved: 2026-04-30T14:51:12.702Z

Link: CVE-2026-42823

cve-icon Vulnrichment

Updated: 2026-05-12T19:17:19.145Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T18:17:25.170

Modified: 2026-05-14T14:25:49.913

Link: CVE-2026-42823

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T21:45:05Z

Weaknesses