Skip to content
Chimera readability score 88 out of 100, Specialist reading level.

Critical Vulnerability in Azure DevOps
CVE-2026-42826 is a Critical information disclosure vulnerability affecting Azure DevOps and has a CVSS score of 10. This vulnerability allows unauthenticated remote attackers to disclose sensitive information over a network through an exposure of sensitive information flaw (CWE-200). Microsoft has proactively remediated this vulnerability within the cloud infrastructure without requiring any customer intervention.
Table 1. Critical vulnerability in Azure DevOps| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 10 | CVE-2026-42826 | Microsoft Azure DevOps Information Disclosure Vulnerability | No |
Critical Vulnerabilities in Azure Managed Instance for Apache Cassandra
CVE-2026-33109 and CVE-2026-33844 are Critical RCE vulnerabilities affecting Azure Managed Instance for Apache Cassandra, with CVSS scores of 9.9 and 9.0, respectively. Azure Managed Instance for Apache Cassandra is a fully managed cloud service for deploying and scaling Apache Cassandra clusters; RCE vulnerabilities in this service could allow attackers to compromise sensitive data workloads and underlying infrastructure.
An improper access control flaw (CVE-2026-33109) allows low-privileged remote attackers to execute arbitrary code with no user interaction required. An improper input validation flaw (CVE-2026-33844) similarly allows low-privileged remote attackers to execute code, though user interaction is required. Microsoft has proactively remediated these vulnerabilities within its cloud infrastructure without requiring any customer intervention.
Table 2. Critical vulnerabilities in Azure Managed Instance for Apache Cassandra| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 9.9 | CVE-2026-33109 | Azure Managed Instance for Apache Cassandra RCE Vulnerability | No |
| Critical | 9.0 | CVE-2026-33844 | Azure Managed Instance for Apache Cassandra RCE Vulnerability | No |
Critical Vulnerability in Microsoft Dynamics 365 On-Premises
CVE-2026-42898 is a Critical RCE vulnerability affecting Microsoft Dynamics 365 (on-premises) and has a CVSS score of 9.9. A code injection flaw (CWE-94) allows any authenticated remote attacker to execute code over a network with no user interaction required. An attacker could exploit this by modifying the saved state of a process session in Dynamics CRM and triggering the system to process that data, causing the server to unintentionally execute malicious code. An official fix is available for customers to deploy.
Table 3. Critical vulnerability in Microsoft Dynamics 365 On-Premises| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 9.9 | CVE-2026-42898 | Microsoft Dynamics 365 On-Premises RCE Vulnerability | Yes |
Critical Vulnerability in Windows Netlogon
CVE-2026-41089 is a Critical RCE vulnerability affecting Windows Netlogon and has a CVSS score of 9.8. A stack-based buffer overflow flaw (CWE-121) allows unauthenticated remote attackers to execute code with no user interaction and low attack complexity. An attacker could send a specially crafted network request to a Windows server running as a domain controller, causing the Netlogon service to improperly handle the request and execute malicious code without requiring any prior access or credentials. An official fix is available for customers to deploy.
Table 4. Critical vulnerability in Windows Netlogon| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 9.8 | CVE-2026-41089 | Windows Netlogon RCE Vulnerability | Yes |
Critical Vulnerability in Windows DNS Client
CVE-2026-41096 is a Critical RCE vulnerability affecting the Windows DNS Client and has a CVSS score of 9.8. A heap-based buffer overflow flaw (CWE-122) allows unauthenticated remote attackers to execute code with no user interaction and low attack complexity. An attacker could send a specially crafted DNS response to a vulnerable Windows system, causing the DNS Client to incorrectly process the response and corrupt memory, potentially enabling RCE without authentication.
While the Windows DNS Client is present on virtually all Windows workstations and servers, practical exploitation requires an attacker to be in a position to intercept or respond to a system's DNS requests, such as through DNS spoofing, a rogue DNS server, or a machine-in-the-middle position on the network, which represents a meaningful prerequisite to exploitation. An official fix is available for customers to deploy.
Table 5. Critical vulnerability in Windows DNS Client| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 9.8 | CVE-2026-41096 | Windows DNS Client RCE Vulnerability | Yes |
Critical Vulnerability in Microsoft Teams Events Portal
CVE-2026-33823 is a Critical information disclosure vulnerability affecting the Microsoft Teams Events Portal and has a CVSS score of 9.6. An improper authorization flaw (CWE-285) allows low-privileged remote attackers to disclose sensitive information over a network with no user interaction and low attack complexity. Microsoft has proactively remediated this vulnerability within its cloud infrastructure without requiring any customer intervention.
Table 6. Critical vulnerability in Microsoft Teams Events Portal| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 9.6 | CVE-2026-33823 | Microsoft Teams Events Portal Information Disclosure Vulnerability | No |
Critical Spoofing Vulnerability in Azure Cloud Shell
CVE-2026-35428 is a Critical spoofing vulnerability affecting Azure Cloud Shell and has a CVSS score of 9.6. A command injection flaw (CWE-77) allows unauthenticated remote attackers to perform spoofing over a network. The vulnerability requires user interaction and has a changed scope with high confidentiality, integrity, and availability impact. Microsoft has proactively remediated this vulnerability within its cloud infrastructure without requiring any customer intervention.
Table 7. Critical vulnerability in Azure Cloud Shell| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 9.6 | CVE-2026-35428 | Azure Cloud Shell Spoofing Vulnerability | No |
Critical Spoofing Vulnerability in Microsoft Enterprise Security Token Service
CVE-2026-40379 is a Critical spoofing vulnerability affecting Microsoft Enterprise Security Token Service (ESTS) and has a CVSS score of 9.3. An exposure of sensitive information flaw (CWE-200) in Azure Entra ID allows unauthenticated remote attackers to perform spoofing over a network. ESTS is the underlying token issuance infrastructure for Microsoft Entra ID (formerly Azure AD), responsible for authenticating users and issuing security tokens across Microsoft cloud services. A spoofing vulnerability here could allow attackers to impersonate users or services across any platform relying on Entra ID authentication.
The vulnerability requires user interaction and has a changed scope with high confidentiality and integrity impact. Microsoft has proactively remediated this vulnerability within its cloud infrastructure without requiring any customer intervention.
Table 8. Critical vulnerability in Microsoft Enterprise Security Token Service| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 9.3 | CVE-2026-40379 | Microsoft ESTS Spoofing Vulnerability | No |
Critical Elevation of Privilege Vulnerability in Windows Hyper-V
CVE-2026-40402 is a Critical elevation of privilege vulnerability affecting Windows Hyper-V and has a CVSS score of 9.3. A use-after-free flaw (CWE-416) allows a low-privileged guest VM to elevate privileges and gain access to the Hyper-V host environment. A guest VM could exploit this by forcing the Hyper-V host's kernel to read from an arbitrary address, potentially allowing the attacker to traverse the guest's security boundary. In most circumstances, this would result in a denial of service of the host; however, exploitation could also trigger hardware device-specific side effects that may further compromise host security. An official fix is available for customers to deploy.
Table 9. Critical vulnerability in Windows Hyper-V| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 9.3 | CVE-2026-40402 | Windows Hyper-V Elevation of Privilege Vulnerability | Yes |
Critical Elevation of Privilege Vulnerability in Microsoft SSO Plugin for Jira and Confluence
CVE-2026-41103 is a Critical elevation of privilege vulnerability affecting the Microsoft SSO Plugin for Jira and Confluence and has a CVSS score of 9.1. An incorrect implementation of an authentication algorithm (CWE-303) allows unauthenticated remote attackers to elevate privileges with no user interaction and low attack complexity. The Microsoft SSO Plugin enables organizations to use Microsoft Entra ID as an identity provider for Atlassian Jira and Confluence; an authentication bypass in this plugin could allow attackers to impersonate users across these platforms.
An attacker could send a specially crafted single sign-on (SSO) response during the login process to forge an identity, bypassing Microsoft Entra ID authentication entirely and gaining unauthorized access to Jira or Confluence with the permissions of the compromised account. An official fix is available for customers to deploy.
Table 10. Critical vulnerability in Microsoft SSO Plugin for Jira and Confluence| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 9.1 | CVE-2026-41103 | Microsoft SSO Plugin for Jira and Confluence Elevation of Privilege Vulnerability | Yes |

Facts Only

CVE-2026-42826 is a critical information disclosure vulnerability in Azure DevOps with a CVSS score of 10.
CVE-2026-33109 and CVE-2026-33844 are critical RCE vulnerabilities in Azure Managed Instance for Apache Cassandra, with CVSS scores of 9.9 and 9.0, respectively.
CVE-2026-42898 is a critical RCE vulnerability in Microsoft Dynamics 365 (on-premises) with a CVSS score of 9.9.
CVE-2026-41089 is a critical RCE vulnerability in Windows Netlogon with a CVSS score of 9.8.
CVE-2026-41096 is a critical RCE vulnerability in Windows DNS Client with a CVSS score of 9.8.
CVE-2026-33823 is a critical information disclosure vulnerability in Microsoft Teams Events Portal with a CVSS score of 9.6.
CVE-2026-35428 is a critical spoofing vulnerability in Azure Cloud Shell with a CVSS score of 9.6.
CVE-2026-40379 is a critical spoofing vulnerability in Microsoft Enterprise Security Token Service with a CVSS score of 9.3.
CVE-2026-40402 is a critical elevation of privilege vulnerability in Windows Hyper-V with a CVSS score of 9.3.
CVE-2026-41103 is a critical elevation of privilege vulnerability in Microsoft SSO Plugin for Jira and Confluence with a CVSS score of 9.1.
Microsoft remediated cloud-based vulnerabilities (Azure DevOps, Apache Cassandra, Teams Events Portal, Cloud Shell, ESTS) without customer intervention.
On-premises vulnerabilities (Dynamics 365, Netlogon, DNS Client, Hyper-V, SSO Plugin) require customer-applied patches.

Executive Summary

Microsoft has disclosed multiple critical vulnerabilities across its cloud and on-premises products, with CVSS scores ranging from 9.0 to 10.0. The most severe, CVE-2026-42826, is an information disclosure flaw in Azure DevOps, allowing unauthenticated remote attackers to access sensitive data. Microsoft has remediated this and several other cloud-based vulnerabilities (e.g., Azure Managed Instance for Apache Cassandra, Teams Events Portal, Cloud Shell, and Enterprise Security Token Service) without requiring customer action. However, on-premises and hybrid systems—including Microsoft Dynamics 365, Windows Netlogon, Windows DNS Client, Windows Hyper-V, and the Microsoft SSO Plugin for Jira/Confluence—require manual patching. These vulnerabilities enable remote code execution, privilege escalation, or spoofing, with some exploitable without authentication. The remediation approach varies: cloud services were fixed proactively, while on-premises solutions demand customer intervention. The disclosure highlights the differing security postures between cloud-managed and self-managed Microsoft environments.
The vulnerabilities span multiple attack vectors, from memory corruption (e.g., buffer overflows in Netlogon and DNS Client) to authentication bypasses (e.g., SSO plugin flaws). While cloud-based exploits were neutralized by Microsoft, the on-premises risks remain active until patches are applied. The severity underscores the ongoing challenge of securing hybrid IT infrastructures, where responsibility is shared between vendor and customer. No evidence suggests these vulnerabilities have been exploited in the wild, but their critical ratings warrant urgent attention, particularly for organizations relying on unpatched on-premises systems.

Full Take

This disclosure reveals a strategic divide in Microsoft’s security posture: cloud services benefit from proactive remediation, while on-premises systems rely on customer diligence. The pattern suggests a deliberate shift in responsibility—cloud vulnerabilities are neutralized silently, but on-premises risks demand manual action, creating a two-tiered security model. This aligns with broader industry trends where vendors prioritize cloud-native protections while deprioritizing legacy or hybrid environments. The vulnerabilities themselves follow familiar attack patterns: memory corruption (CWE-121, CWE-122), authentication bypasses (CWE-285, CWE-303), and input validation failures (CWE-200, CWE-77). The absence of exploitation reports may reflect either effective secrecy or the challenges of weaponizing these flaws in real-world scenarios.
The root cause here isn’t technical but structural: the tension between vendor control and customer autonomy. Microsoft’s cloud-first security model assumes homogeneity—uniform infrastructure, automated updates—but on-premises systems operate in heterogeneous, often fragmented environments. The implications extend beyond patching: organizations face a choice between ceding control to cloud providers or bearing the operational burden of self-management. Who benefits? Cloud adopters gain seamless security; who bears costs? Enterprises with legacy systems or compliance constraints. Second-order consequences include potential compliance gaps for unpatched systems and the erosion of trust in hybrid security models.
Bridge questions: How might this dual-track remediation approach influence enterprise cloud migration decisions? What incentives could Microsoft introduce to bridge the security gap for on-premises customers? If these vulnerabilities had been exploited before disclosure, how would the narrative around cloud vs. on-premises security shift?
Counterstrike scan: A coordinated influence campaign exploiting this disclosure might amplify fears of on-premises insecurity to accelerate cloud adoption, framing it as the only viable path to safety. However, the content itself presents a balanced view—acknowledging both cloud remediation and on-premises risks—without overtly pushing a migration agenda. The alignment with a hypothetical attack playbook is minimal; the focus remains on factual disclosure rather than manipulative framing.
Patterns detected: none

Sentinel — Likely Synthetic

Confidence

The text displays strong coordination and stylistic homogeneity, strongly suggesting generation by an AI system compiling structured data rather than organic human journalistic writing.

Signals Detected
medium severity: Extreme uniformity in sentence structure and formal tone; lack of human errant rhythm.
low severity: Perfect, relentless descriptive flow devoid of subjective voice or narrative framing.
high severity: Strict adherence to a repetitive, tabular structure and formulaic presentation of vulnerability data across multiple unrelated CVEs.
low severity: Claims are presented purely as data points, characteristic of structured data extraction rather than journalistic synthesis.
Human Indicators
No idiosyncratic emphasis, personal voice, or stylistic fingerprint was detected.
The structure is highly formalized, suggesting automated compilation or adherence to a strict data schema.
May 2026 Patch Tuesday: 30 Critical Vulnerabilities Among 130 CVEs — Arc Codex