Spoofing Vulnerability in Microsoft Azure Entra ID
CVE-2026-40379

9.3CRITICAL

Key Information:

Vendor: Microsoft
Status: Microsoft Entra
Vendor: CVE Published:; 12 May 2026

What is CVE-2026-40379?

The vulnerability in Microsoft Azure Entra ID allows unauthorized actors to gain access to sensitive information, potentially facilitating spoofing attacks over a network. This creates significant risks for organizations relying on Azure Entra ID for identity management and security. Attackers can exploit this weakness to impersonate users, leading to unauthorized actions and data breaches. Organizations should implement recommended patches to mitigate this risk.

Affected Version(s)

Microsoft Entra -

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE...

vendor-advisorypatch

CVSS V3.1

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
Apr 11, 2026

CVE-2026-40379 Data

JSON