Improper Access Control in Azure Connected Machine Agent by Microsoft
CVE-2026-40381

7.8HIGH

Key Information:

Vendor: Microsoft
Status: Azure Connected Machine Agent
Vendor: CVE Published:; 12 May 2026

What is CVE-2026-40381?

An improper access control vulnerability in the Azure Connected Machine Agent allows a local attacker, who is already authorized, to elevate their privileges. This flaw could enable unauthorized access to sensitive information and functions within Azure environments, potentially compromising system integrity and security. Ensuring that the latest patches are applied is crucial to mitigate this risk effectively.

Affected Version(s)

Azure Connected Machine Agent 1.0.0 < 1.63

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE...

vendor-advisorypatch

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
Apr 11, 2026

CVE-2026-40381 Data

JSON