SYS::ONLINE
Wasteland.
Briefs779
Issues14
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-42822 2026-05-18

CVE-2026-42822: Critical Authentication Bypass in Azure Local Disconnected Operations

"Microsoft disclosed a maximum-severity (CVSS 10.0) improper authentication flaw in Azure Local Disconnected Operations that lets an unauthenticated remote attacker elevate privileges across a network with no user…"

Microsoft disclosed a maximum-severity (CVSS 10.0) improper authentication flaw in Azure Local Disconnected Operations that lets an unauthenticated remote attacker elevate privileges across a network with no user interaction required.

What Is It

CVE-2026-42822 is an improper authentication weakness (CWE-287) affecting Azure Local Disconnected Operations. According to Microsoft's advisory, the flaw allows an unauthorized attacker to elevate privileges over a network. The vulnerability carries a CVSS 3.1 base score of 10.0 (CRITICAL) with vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, meaning it is exploitable remotely, requires low attack complexity, needs no privileges or user interaction, and the scope is changed, with high impact to confidentiality, integrity, and availability.

Why It Matters

A perfect 10.0 CVSS rating is rare and signals a worst-case scenario: an unauthenticated network-accessible vector with full triple-impact compromise and a scope change, meaning the vulnerable component can affect resources beyond its security authority. The combination of no privileges required, no user interaction, and low complexity makes this an attractive target for opportunistic attackers and ransomware operators once technical details or exploit code surface. Disconnected/edge deployments of Azure Local are often used in environments where patch cycles lag, increasing exposure windows.

What's Vulnerable

The affected component is Azure Local Disconnected Operations. The NVD entry was published on 2026-05-18 by Microsoft ([email protected]) and remains in "Awaiting Analysis" status, so the formal CPE list of affected versions is not yet enumerated in NVD. Administrators should consult the Microsoft Security Response Center (MSRC) advisory directly for the authoritative list of impacted builds and configurations.

Patch Status

Microsoft published the advisory through MSRC on 2026-05-18. Refer to the MSRC update guide entry for this CVE for the current patch availability, affected version matrix, and any mitigation guidance. There is no CISA KEV entry confirming in-the-wild exploitation at this time; given the severity, defenders should treat patching as urgent regardless.

Sources