CVE-2026-42826: Azure DevOps Unauthenticated Information Disclosure [Critical · CVSS 10.0]
QUICK SUMMARY
CVE-2026-42826 is a maximum-severity (CVSS 10.0) unauthenticated information disclosure vulnerability in Microsoft Azure DevOps. Classified under CWE-200, the flaw allows a remote, unauthenticated attacker to expose sensitive information over the network — with Changed Scope, meaning the impact extends beyond the directly compromised component.
The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) confirms High impact across Confidentiality, Integrity, and Availability — an unusual profile for a disclosure-category bug, suggesting exfiltration of secrets or tokens that enable further compromise across downstream systems.
Action required: Apply Microsoft’s security update immediately. If patching is not yet possible, restrict unauthenticated network access to Azure DevOps endpoints and audit access logs for anomalous anonymous activity.
📊 CVSS v3.1 Breakdown
🔬 Technical Details
Vulnerability Mechanism
CVE-2026-42826 arises from an access control breakdown in Azure DevOps that allows an unauthenticated attacker to reach internal API endpoints or storage paths that expose sensitive organisational data. The flaw does not require authentication at any stage — an attacker needs only network-level reachability to the Azure DevOps service.
The Changed Scope (S:C) designation is the critical differentiator here. It signals that a successful exploit can affect resources outside the directly vulnerable component — in Azure DevOps’ case, this could mean downstream pipelines, connected Azure subscriptions, or secret stores (Key Vault references, pipeline variables, service connection credentials) that are accessible via the extracted data.
The simultaneous rating of High Integrity and Availability impact alongside Confidentiality (C:H/I:H/A:H) implies the exposed information likely includes credentials, tokens, or PATs (Personal Access Tokens) with write privileges — enabling an attacker to pivot from data exposure to active manipulation or service disruption.
Attack Chain
Attacker identifies a publicly reachable Azure DevOps organisation URL (e.g., dev.azure.com/<org>). No credentials required.
A crafted HTTP request targets an improperly protected endpoint, bypassing the authentication layer and returning sensitive organisational data including pipeline configuration, secrets references, and service connection details.
Extracted PATs, service principal credentials, or Key Vault references are used to authenticate as a legitimate identity against Azure services, enabling lateral movement across the tenant.
Attacker modifies pipeline YAML, injects malicious build steps, exfiltrates source code, or disrupts CI/CD workflows — consistent with the C:H/I:H/A:H impact rating.
🎯 Affected Products
| Product | Component | Status |
|---|---|---|
| Azure DevOps Services | Cloud-hosted (dev.azure.com) | Patched by Microsoft |
| Azure DevOps Server | On-premises installations | Patch Available — Apply Now |
| Azure Pipelines | CI/CD pipeline service (integrated) | Patched via DevOps update |
💥 Impact Assessment
Credential Theft
Exposed PATs, service principal secrets, and pipeline variables enable full account takeover without brute-force.
Source Code Exfiltration
Entire repositories — including private code, infrastructure-as-code, and embedded secrets — can be cloned by an unauthenticated actor.
Supply Chain Risk
Pipeline YAML injection or artifact tampering enables malicious code to propagate into production builds and downstream consumers.
Lateral Movement to Azure
Service connections to Azure subscriptions, Kubernetes clusters, and ACR registries become attack surfaces once DevOps credentials are leaked.
🛡️ Microsoft Sentinel — KQL Detection Query
Production-ready query to detect anomalous unauthenticated or low-privilege activity against Azure DevOps REST APIs consistent with CVE-2026-42826 exploitation attempts.
// ───────────────────────────────────────────────────────────────────────── // CVE-2026-42826 | Azure DevOps Unauthenticated Information Disclosure // Hunt for suspicious anonymous or unauthenticated API access patterns // targeting Azure DevOps REST endpoints. // Author: Sujit Mahakhud | secbyte.in | May 2026 // ───────────────────────────────────────────────────────────────────────── AzureDevOpsAuditing | where TimeGenerated >= ago(24h) | where Area == "REST" or Area == "API" // Flag anonymous/unauthenticated calls — PR:N is the core exploit condition | where AuthenticationMechanism in~ ("Anonymous", "None", "") or ActorUPN == "" or ActorUPN has "anonymous" // Focus on high-value endpoints that would expose secrets/configs | where Details has_any ( "variablegroups", "serviceendpoints", "repositories", "pipelines", "builds", "tokens", "settings" ) // Enrich with caller IP for threat intel correlation | extend CallerIP = tostring(Data.RemoteIP), Endpoint = tostring(Data.RequestUrl), HttpMethod = tostring(Data.HttpMethod), ResponseCode = tostring(Data.HttpStatus) // Successful responses from unauth'd callers are the key signal | where ResponseCode startswith "2" | summarize TotalHits = count(), Endpoints = make_set(Endpoint, 20), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by CallerIP, HttpMethod, ActorUPN, OperationName | where TotalHits >= 3 // Reduce noise; tune threshold per environment | extend RiskScore = case( TotalHits > 20, "HIGH", TotalHits > 5, "MEDIUM", "LOW" ) | project LastSeen, FirstSeen, CallerIP, HttpMethod, OperationName, TotalHits, RiskScore, Endpoints | order by TotalHits desc // ─── Supplemental: Correlate with ThreatIntelligenceIndicator ─────────────── // Uncomment to enrich CallerIP against Microsoft Sentinel Threat Intelligence // | join kind=leftouter ( // ThreatIntelligenceIndicator // | where TimeGenerated >= ago(7d) and Active == true // | project TI_IP = NetworkIP, ThreatType, ConfidenceScore // ) on $left.CallerIP == $right.TI_IP
📌 Deployment note: Requires the AzureDevOpsAuditing table — enable via Azure DevOps Organisation Settings → Auditing → Stream to Log Analytics Workspace. Adjust the TotalHits ≥ 3 threshold and the endpoint keyword list to match your environment’s normal traffic profile before deploying as an Analytics Rule.
🔧 Mitigation & Recommendations
Azure DevOps Services has been patched automatically by Microsoft. If you operate Azure DevOps Server (on-premises), download and apply the latest cumulative update from the MSRC Advisory page immediately. Do not defer.
Assume all PATs and service principal credentials stored in Azure DevOps may have been exposed. Rotate them immediately: revoke existing tokens, regenerate service connection secrets, and update pipeline variable groups. Check Key Vault references for signs of access outside your known pipeline activity windows.
In Azure DevOps Organisation Settings, configure IP allowlisting to restrict REST API access to known corporate egress IPs and your CI/CD agent pools. This is a strong compensating control while patching is validated in on-premises environments.
Enable Azure DevOps Auditing and stream logs to your Log Analytics Workspace. Deploy the KQL query above as a Sentinel Analytics Rule with a High severity alert. Configure a playbook to auto-quarantine the calling IP and page your SOC on any hits.
Query AzureActivity and SigninLogs in Sentinel for authentication events from unexpected IPs using service principal identities associated with Azure DevOps service connections. Cross-correlate timestamps with the DevOps audit log anomalies.
📎 References
-
🔗 Microsoft Security Response Center — CVE-2026-42826 Advisory
Official MSRC advisory with patch links and severity details -
🔗 TheHackerWire — Azure DevOps Critical Information Disclosure (CVE-2026-42826)
Technical write-up and impact analysis -
🔗 Vulnerability-Lookup — MSRC CVE-2026-42826
CIRCL vulnerability database entry with CVSS vector details
![CVE-2026-33827: Windows TCP/IP Stack RCE — Unauthenticated, Wormable [Critical · CVSS 9.8]](https://i0.wp.com/secbyte.in/wp-content/uploads/2026/04/Gemini_Generated_Image_il4h37il4h37il4h.png?fit=768%2C429&ssl=1)
![CVE-2026-33825: Windows Defender Triple Zero-Day — BlueHammer, RedSun & UnDefend [HIGH · CVSS 7.8]](https://i0.wp.com/secbyte.in/wp-content/uploads/2026/04/Gemini_Generated_Image_kf3hmfkf3hmfkf3h.png?fit=768%2C429&ssl=1)
![CVE-2026-35431: Microsoft Entra ID Entitlement Management SSRF [Critical · CVSS 10.0]](https://i0.wp.com/secbyte.in/wp-content/uploads/2026/04/Gemini_Generated_Image_dguzbjdguzbjdguz.png?fit=768%2C419&ssl=1)