CVE-2026-24302
Published: 05 February 2026
Description
Improper access control in Azure Arc allows an unauthorized attacker to elevate privileges over a network.
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access to system resources, directly preventing unauthorized privilege elevation due to improper access control in Azure Arc.
Employs least privilege principle to restrict access to only necessary permissions, mitigating privilege escalation by unauthorized network attackers.
Provides capability for correct access control decisions based on user identity and roles, countering the improper access control vulnerability allowing no-privilege attackers to elevate.
Security SummaryAI
CVE-2026-24302 is an improper access control vulnerability affecting Azure Arc. Published on 2026-02-05, it stems from CWE-284 and carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), indicating high severity due to network accessibility, low complexity, no prerequisites, and significant confidentiality impact with a changed scope.
An unauthorized attacker (PR:N) can exploit this vulnerability remotely over the network (AV:N) without user interaction (UI:N). Successful exploitation allows the attacker to elevate privileges, enabling high-level confidentiality breaches (C:H) within the expanded scope (S:C).
The Microsoft Security Response Center advisory provides details on mitigation and patches at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-24302.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Explicitly described as an Elevation of Privilege vulnerability enabling privilege escalation, directly mapping to T1068: Exploitation for Privilege Escalation.