{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23658", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2026-01-14T16:59:33.463Z", "datePublished": "2026-03-19T21:06:23.083Z", "dateUpdated": "2026-04-14T16:36:26.012Z"}, "containers": {"cna": {"title": "Azure DevOps: msazure Elevation of Privilege Vulnerability", "datePublic": "2026-03-19T14:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:azure_devops_msazure:*:*:*:*:*:*:*:*", "versionStartIncluding": "-"}]}]}], "affected": [{"vendor": "Microsoft", "product": "Azure DevOps: msazure", "versions": [{"version": "-", "status": "affected"}]}], "descriptions": [{"value": "Insufficiently protected credentials in Azure DevOps allows an unauthorized attacker to elevate privileges over a network.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-522: Insufficiently Protected Credentials", "lang": "en-US", "type": "CWE", "cweId": "CWE-522"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-04-14T16:36:26.012Z"}, "references": [{"name": "Azure DevOps: msazure Elevation of Privilege Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23658"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "HIGH", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C"}}], "tags": ["exclusively-hosted-service"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-21T04:01:41.963050Z", "id": "CVE-2026-23658", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T13:02:45.767Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23658", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-21T04:01:41.963050Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T17:06:41.955Z"}}], "cna": {"tags": ["exclusively-hosted-service"], "title": "Azure DevOps: msazure Elevation of Privilege Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 8.6, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": "Azure DevOps: msazure", "versions": [{"status": "affected", "version": "-"}]}], "datePublic": "2026-03-19T14:00:00.000Z", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23658", "name": "Azure DevOps: msazure Elevation of Privilege Vulnerability", "tags": ["vendor-advisory", "patch"]}], "descriptions": [{"lang": "en-US", "value": "Insufficiently protected credentials in Azure DevOps allows an unauthorized attacker to elevate privileges over a network."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-522", "description": "CWE-522: Insufficiently Protected Credentials"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:azure_devops_msazure:*:*:*:*:*:*:*:*", "vulnerable": true, "versionStartIncluding": "-"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-04-14T16:36:26.012Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23658", "state": "PUBLISHED", "dateUpdated": "2026-04-14T16:36:26.012Z", "dateReserved": "2026-01-14T16:59:33.463Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2026-03-19T21:06:23.083Z", "assignerShortName": "microsoft"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:azure_devops:-:*:*:*:*:*:*:*", "matchCriteriaId": "238C9D36-6940-492B-B0AC-EBF02676729F", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "secure@microsoft.com", "tags": ["exclusively-hosted-service"]}], "descriptions": [{"lang": "en", "value": "Insufficiently protected credentials in Azure DevOps allows an unauthorized attacker to elevate privileges over a network."}, {"lang": "es", "value": "Credenciales insuficientemente protegidas en Azure DevOps permite a un atacante no autorizado elevar privilegios sobre una red."}], "id": "CVE-2026-23658", "lastModified": "2026-04-01T15:14:56.417", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "secure@microsoft.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-19T21:16:54.487", "references": [{"source": "secure@microsoft.com", "tags": ["Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23658"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "secure@microsoft.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Azure DevOps: msazure", "source": "cna", "vendor": "Microsoft"}, "product": "azure_devops", "vendor": "microsoft"}], "analysis": {"en": {"generated_at": "2026-04-02T03:01:25.183591+00:00", "value": {"mitigation_remediation": ["Apply the latest security update for Azure DevOps msazure as published by Microsoft"], "summary": {"action": "Immediate Patch", "impact": "Elevation of Privilege"}, "threat_synthesis": {"affected_systems": "The vulnerability applies to Microsoft Azure DevOps services, specifically the msazure component referenced by the vendor. No explicit affected version ranges are listed in the CNA data, so administrators cannot rely on version numbers alone and should verify all deployed instances.", "description_and_impact": "An Azure DevOps component dubbed msazure stores credentials in an insufficiently protected manner. This flaw enables an attacker who can reach the system over a network to acquire those credentials and subsequently elevate privileges. The consequence is a compromise of account and the potential to modify or delete data, undermining confidentiality and integrity.", "risk_and_exploitability": "The flaw is rated a high CVSS score of 8.6 and has an EPSS less than 1%, indicating low likelihood of widespread exploitation at present. It is not yet catalogued in CISA\u2019s KEV list. The attack vector is inferred to be network based, allowing an unauthorized remote actor to acquire privileges without local access."}}}}, "created": "2026-03-20T08:55:59.351274+00:00", "updated": "2026-04-02T07:59:46.699482+00:00", "vendors": ["microsoft", "microsoft$PRODUCT$azure_devops"]}