{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24304", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2026-01-21T21:28:02.969Z", "datePublished": "2026-01-23T01:18:55.469Z", "dateUpdated": "2026-04-01T13:49:23.361Z"}, "containers": {"cna": {"title": "Azure Resource Manager Elevation of Privilege Vulnerability", "datePublic": "2026-01-22T16:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:azure_resource_manager:*:*:*:*:*:*:*:*", "versionStartIncluding": "-"}]}]}], "affected": [{"vendor": "Microsoft", "product": "Azure Resource Manager", "versions": [{"version": "-", "status": "affected"}]}], "descriptions": [{"value": "Improper access control in Azure Resource Manager allows an authorized attacker to elevate privileges over a network.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-284: Improper Access Control", "lang": "en-US", "type": "CWE", "cweId": "CWE-284"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-04-01T13:49:23.361Z"}, "references": [{"name": "Azure Resource Manager Elevation of Privilege Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-24304"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "CRITICAL", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C"}}], "tags": ["exclusively-hosted-service"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24304", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-24T04:55:28.473489Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T14:44:28.551Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24304", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-24T04:55:28.473489Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-23T19:57:27.603Z"}}], "cna": {"tags": ["exclusively-hosted-service"], "title": "Azure Resource Manager Elevation of Privilege Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 9.9, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": "Azure Resource Manager", "versions": [{"status": "affected", "version": "-"}]}], "datePublic": "2026-01-22T16:00:00.000Z", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-24304", "name": "Azure Resource Manager Elevation of Privilege Vulnerability", "tags": ["vendor-advisory", "patch"]}], "descriptions": [{"lang": "en-US", "value": "Improper access control in Azure Resource Manager allows an authorized attacker to elevate privileges over a network."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:azure_resource_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "versionStartIncluding": "-"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-04-01T13:49:23.361Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24304", "state": "PUBLISHED", "dateUpdated": "2026-04-01T13:49:23.361Z", "dateReserved": "2026-01-21T21:28:02.969Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2026-01-23T01:18:55.469Z", "assignerShortName": "microsoft"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:azure_resource_manager:-:*:*:*:*:*:*:*", "matchCriteriaId": "48C0D61C-CC26-4E98-B9E9-F51DCCD8E93F", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "secure@microsoft.com", "tags": ["exclusively-hosted-service"]}], "descriptions": [{"lang": "en", "value": "Improper access control in Azure Resource Manager allows an authorized attacker to elevate privileges over a network."}], "id": "CVE-2026-24304", "lastModified": "2026-02-12T17:23:04.043", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "secure@microsoft.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-23T02:15:55.547", "references": [{"source": "secure@microsoft.com", "tags": ["Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-24304"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "secure@microsoft.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T01:55:22.451747+00:00", "value": {"mitigation_remediation": ["Apply the latest Azure Resource Manager updates from Microsoft to remove the access control flaw.", "Enforce least\u2011privilege principles by reviewing and limiting Azure RBAC roles assigned to users and service principals.", "Segregate management traffic by restricting ARM endpoint access to trusted management networks and applying firewall or network security group rules."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation via Improper Access Control"}, "threat_synthesis": {"affected_systems": "Microsoft Azure Resource Manager is the affected product. No specific version information is provided in the CNA data; therefore all deployments of Azure Resource Manager that have not applied the latest security updates may be susceptible.", "description_and_impact": "This vulnerability arises from improper access control in Microsoft Azure Resource Manager, enabling an attacker who already possesses authorized authentication to elevate their privileges over the network. The flaw effectively allows a user with limited rights to acquire higher-level permissions, potentially granting arbitrary configuration changes, data exfiltration, or denial\u2011of\u2011service conditions. The CVSS score of 9.9 indicates catastrophic risk to confidentiality, integrity, and availability if exploited.", "risk_and_exploitability": "With a CVSS score of 9.9 and an EPSS score below 1%, the likelihood of public exploitation appears low, and the vulnerability is not listed in CISA\u2019s KEV catalog. However, the attack vector is inferred to be a network\u2011based attack originating from an authenticated account with legitimate access to the ARM API. An attacker would need to abuse the misconfigured permission enforcement to transition from a lower privilege role to a higher one, thereby gaining full control over Azure resources. The danger lies in the potential for broad platform compromise once privileged elevation is achieved."}}}}, "created": "2026-04-16T02:00:12.337826+00:00", "updated": "2026-04-16T02:00:12.337839+00:00", "vendors": []}