{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26141", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2026-02-11T16:24:51.134Z", "datePublished": "2026-03-10T17:05:22.943Z", "dateUpdated": "2026-04-14T16:36:42.821Z"}, "containers": {"cna": {"title": "Hybrid Worker Extension (Arc\u2011enabled Windows VMs) Elevation of Privilege Vulnerability", "datePublic": "2026-03-10T14:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:azure_automation_hybrid_worker_windows_extension:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.0.0", "versionEndExcluding": "1.3.74"}]}]}], "affected": [{"vendor": "Microsoft", "product": "Azure Automation Hybrid Worker Windows Extension", "versions": [{"version": "1.0.0", "lessThan": "1.3.74", "versionType": "custom", "status": "affected"}]}], "descriptions": [{"value": "Improper authentication in Azure Arc allows an authorized attacker to elevate privileges locally.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-287: Improper Authentication", "lang": "en-US", "type": "CWE", "cweId": "CWE-287"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-04-14T16:36:42.821Z"}, "references": [{"name": "Hybrid Worker Extension (Arc\u2011enabled Windows VMs) Elevation of Privilege Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26141"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "HIGH", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-05T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-26141"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T03:56:19.381Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26141", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-10T19:43:22.352049Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T19:43:31.044Z"}}], "cna": {"title": "Hybrid Worker Extension (Arc\u2011enabled Windows VMs) Elevation of Privilege Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 7.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": "Azure Automation Hybrid Worker Windows Extension", "versions": [{"status": "affected", "version": "1.0.0", "lessThan": "1.3.74", "versionType": "custom"}]}], "datePublic": "2026-03-10T14:00:00.000Z", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26141", "name": "Hybrid Worker Extension (Arc\u2011enabled Windows VMs) Elevation of Privilege Vulnerability", "tags": ["vendor-advisory", "patch"]}], "descriptions": [{"lang": "en-US", "value": "Improper authentication in Azure Arc allows an authorized attacker to elevate privileges locally."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287: Improper Authentication"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:azure_automation_hybrid_worker_windows_extension:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "1.3.74", "versionStartIncluding": "1.0.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-04-14T16:36:42.821Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26141", "state": "PUBLISHED", "dateUpdated": "2026-04-14T16:36:42.821Z", "dateReserved": "2026-02-11T16:24:51.134Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2026-03-10T17:05:22.943Z", "assignerShortName": "microsoft"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:azure_automation_hybrid_worker_windows_extension:*:*:*:*:*:*:*:*", "matchCriteriaId": "5F218581-2389-4D6D-B159-31D2D42B5CDD", "versionEndExcluding": "1.3.74", "versionStartIncluding": "1.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper authentication in Azure Arc allows an authorized attacker to elevate privileges locally."}, {"lang": "es", "value": "Autenticaci\u00f3n indebida en Azure Arc permite a un atacante autorizado elevar privilegios localmente."}], "id": "CVE-2026-26141", "lastModified": "2026-03-13T17:03:42.147", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "secure@microsoft.com", "type": "Primary"}]}, "published": "2026-03-10T18:18:42.957", "references": [{"source": "secure@microsoft.com", "tags": ["Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26141"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "secure@microsoft.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.0.0,1.3.74)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Azure Automation Hybrid Worker Windows Extension", "source": "cna", "vendor": "Microsoft"}, "product": "azure_automation_hybrid_worker_windows_extension", "vendor": "microsoft"}], "analysis": {"en": {"generated_at": "2026-03-16T23:14:29.965224+00:00", "value": {"mitigation_remediation": ["Apply the latest Microsoft patch for Azure Automation Hybrid Worker Windows Extension per the Microsoft Security Advisory", "Limit the privileges of Azure Arc service accounts and network access to the extension until a patch is deployed", "Enable auditing and monitoring for privilege escalation events on Arc\u2011enabled Windows VMs", "Review local account permissions and remove any unnecessary administrator rights"], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "Products affected are Microsoft Azure Automation Hybrid Worker Windows Extension (Arc\u2011enabled Windows VMs). No specific version information is provided in the CVE entry; users should review the Microsoft advisory to determine which deployed versions are vulnerable.", "description_and_impact": "Improper authentication in Azure Arc allows an authorized attacker to elevate privileges locally on Arc\u2011enabled Windows VMs. The vulnerability corresponds to CWE-287 (Authentication Bypass) and CWE-863 (Privilege Escalation), enabling a local attacker to assume higher privileges, thereby compromising confidentiality, integrity, and availability of the affected system.", "risk_and_exploitability": "The CVSS score of 7.8 indicates high severity. The EPSS score of less than 1% suggests a low probability of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector requires an authenticated attacker with local access to the VM; there is no evidence of remote exploitation."}}}}, "created": "2026-03-11T11:45:07.688766+00:00", "updated": "2026-03-20T14:34:00.112957+00:00", "vendors": ["microsoft", "microsoft$PRODUCT$azure_automation_hybrid_worker_windows_extension"]}