VULNERABILITY OVERVIEW
An exposure of sensitive information to an unauthorized actor (CWE-200) in Azure DevOps allows an unauthenticated remote attacker to disclose sensitive information over the network with no user interaction required. Despite the CVSS 10.0 base score and full CHI impact ratings, Microsoft proactively remediated this vulnerability within its cloud infrastructure without requiring customer intervention, publishing the CVE for transparency. The risk to organizations storing source code, build pipelines, secrets, and API keys in Azure DevOps is considered high given the platform's role in software supply chain security.
CVSS BREAKDOWN
↗
Attack Vector
NETWORK
△
Attack Complexity
LOW
⚷
Privs Required
NONE
◈
User Interaction
NONE
⊕
Scope / Impact
CHANGED
C:H · I:H · A:H
AFFECTED VERSIONS
Azure DevOps (cloud service); Microsoft has already fully mitigated on the service side — no customer action requiredCITATIONS
- → https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42826
- → https://www.crowdstrike.com/en-us/blog/patch-tuesday-analysis-may-2026/
- → https://socradar.io/blog/may-2026-patch-tuesday-zero-day/
- → https://nvd.nist.gov/vuln/detail/CVE-2026-42826