Description
Exposure of sensitive information to an unauthorized actor in Azure DevOps allows an unauthorized attacker to disclose information over a network.
Published: 2026-05-07
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Exposure of sensitive information in Azure DevOps allows an unauthorized attacker to disclose information over a network, potentially revealing confidential data such as project configurations, credentials, or other sensitive artifacts. The vulnerability is classified as a high-severity information exposure (CWE-200), which could compromise the confidentiality of data managed within an organization’s Azure DevOps environment.

Affected Systems

Microsoft Azure DevOps is the affected product. No specific version information is listed, so all instances may be vulnerable until a patch is applied.

Risk and Exploitability

The vulnerability carries a CVSS score of 10, indicating critical severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is over a network; an attacker who can reach the Azure DevOps service may trigger the disclosure by accessing exposed endpoints.

Generated by OpenCVE AI on May 7, 2026 at 22:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Microsoft Azure DevOps security update that addresses the information disclosure vulnerability (see the Microsoft update guide at the provided reference).
  • Restrict network access to Azure DevOps services by configuring firewalls or VPNs so that only trusted users or applications can reach the affected endpoints.
  • Enable comprehensive logging and monitoring of data access patterns, and configure alerts for anomalous requests that might indicate attempts to read confidential information.

Generated by OpenCVE AI on May 7, 2026 at 22:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:microsoft:azure_devops:-:*:*:*:*:*:*:*

Fri, 08 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 07 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description Exposure of sensitive information to an unauthorized actor in Azure DevOps allows an unauthorized attacker to disclose information over a network.
Title Azure DevOps Information Disclosure Vulnerability
First Time appeared Microsoft
Microsoft azure Devops
Weaknesses CWE-200
CPEs cpe:2.3:a:microsoft:azure_devops:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft azure Devops
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Azure Devops
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-05-09T03:55:53.107Z

Reserved: 2026-04-30T14:51:12.703Z

Link: CVE-2026-42826

cve-icon Vulnrichment

Updated: 2026-05-08T14:14:33.296Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-07T22:16:35.587

Modified: 2026-05-08T19:50:24.040

Link: CVE-2026-42826

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T23:15:16Z

Weaknesses