{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23655", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2026-01-14T16:59:33.462Z", "datePublished": "2026-02-10T17:51:24.484Z", "dateUpdated": "2026-05-11T21:25:23.224Z"}, "containers": {"cna": {"title": "Microsoft ACI Confidential Containers Information Disclosure Vulnerability", "datePublic": "2026-02-10T16:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:microsoft_aci_confidential_containers:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.0.0", "versionEndExcluding": "2.12"}]}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft ACI Confidential Containers", "versions": [{"version": "1.0.0", "lessThan": "2.12", "versionType": "custom", "status": "affected"}]}], "descriptions": [{"value": "Cleartext storage of sensitive information in Azure Compute Gallery allows an authorized attacker to disclose information over a network.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-312: Cleartext Storage of Sensitive Information", "lang": "en-US", "type": "CWE", "cweId": "CWE-312"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-05-11T21:25:23.224Z"}, "references": [{"name": "Microsoft ACI Confidential Containers Information Disclosure Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23655"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "MEDIUM", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-11T15:30:58.201471Z", "id": "CVE-2026-23655", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-11T15:31:23.432Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23655", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-11T15:30:58.201471Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-11T15:31:04.308Z"}}], "cna": {"title": "Microsoft ACI Confidential Containers Information Disclosure Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft ACI Confidential Containers", "versions": [{"status": "affected", "version": "1.0.0", "lessThan": "2.12", "versionType": "custom"}]}], "datePublic": "2026-02-10T16:00:00.000Z", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23655", "name": "Microsoft ACI Confidential Containers Information Disclosure Vulnerability", "tags": ["vendor-advisory", "patch"]}], "descriptions": [{"lang": "en-US", "value": "Cleartext storage of sensitive information in Azure Compute Gallery allows an authorized attacker to disclose information over a network."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-312", "description": "CWE-312: Cleartext Storage of Sensitive Information"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:microsoft_aci_confidential_containers:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "2.12", "versionStartIncluding": "1.0.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-05-11T21:25:23.224Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23655", "state": "PUBLISHED", "dateUpdated": "2026-05-11T21:25:23.224Z", "dateReserved": "2026-01-14T16:59:33.462Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2026-02-10T17:51:24.484Z", "assignerShortName": "microsoft"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:confidential_sidecar_containers:*:*:*:*:*:*:*:*", "matchCriteriaId": "817D3B82-D694-46E1-8021-611B0D1E8ED1", "versionEndExcluding": "2.12", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Cleartext storage of sensitive information in Azure Compute Gallery allows an authorized attacker to disclose information over a network."}, {"lang": "es", "value": "Almacenamiento en texto claro de informaci\u00f3n sensible en Azure Compute Gallery permite a un atacante autorizado divulgar informaci\u00f3n a trav\u00e9s de una red."}], "id": "CVE-2026-23655", "lastModified": "2026-02-25T14:19:13.853", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "secure@microsoft.com", "type": "Primary"}]}, "published": "2026-02-10T18:16:36.137", "references": [{"source": "secure@microsoft.com", "tags": ["Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23655"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-312"}], "source": "secure@microsoft.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[1.0.0,2.12)"}}], "product": "confidental_containers", "vendor": "microsoft"}], "analysis": {"en": {"generated_at": "2026-04-15T16:31:16.504448+00:00", "value": {"mitigation_remediation": ["Apply the latest Microsoft ACI Confidential Containers update that eliminates cleartext storage of secrets.", "Configure Azure Compute Gallery to enforce encryption at rest and in transit for all stored sensitive data.", "Restrict network access to the gallery and enforce least\u2011privilege policies for users and service principals.", "Disable or delete any unused Compute Gallery resources that could inadvertently expose confidential information."], "summary": {"action": "Immediate Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "Microsoft ACI Confidential Containers are impacted; no specific versions were provided in the CNA data or documentation.", "description_and_impact": "Affected Microsoft ACI Confidential Containers store sensitive data in cleartext within the Azure Compute Gallery, allowing an authorized attacker to retrieve that information over a network. This leads to an exposure of confidential data without modification or denial of service, and is classified under CWE-312, a cryptographic or data storage weakness. The vulnerability does not grant arbitrary code execution or privilege escalation, but can reveal secrets that may be leveraged in further attacks.", "risk_and_exploitability": "The CVSS base score of 6.5 places the issue in the medium severity range. An EPSS score of less than 1% indicates a very low likelihood of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be network\u2011based and requires authorized access to the gallery, meaning an adversary would need legitimate credentials or internal access to the Azure environment to exploit this weakness."}}}}, "created": "2026-02-11T21:52:15.163377+00:00", "updated": "2026-04-15T17:45:10.827193+00:00", "vendors": ["microsoft", "microsoft$PRODUCT$confidental_containers"]}