CVE-2026-21515

Published Apr 24, 2026

Last updated 14 days ago

CVSS critical 9.9
IoT

Overview

Description
Exposure of sensitive information to an unauthorized actor in Azure IOT Central allows an authorized attacker to elevate privileges over a network.
Source
secure@microsoft.com
NVD status
Analyzed
CNA Tags
exclusively-hosted-service
Products
azure_iot_central

Risk scores

CVSS 3.1

Type
Primary
Base score
9.9
Impact score
6
Exploitability score
3.1
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

secure@microsoft.com
CWE-200

Social media

Hype score
Not currently trending

Configurations

Related CVEs

  1. Microsoft SharePoint Server Improper Input Validation VulnerabilityCVE-2026-32201
  2. Fortinet FortiClient EMS Improper Access Control VulnerabilityCVE-2026-35616
  3. A vulnerability was identified in Tenda AC8 16.03.50.11. Affected by this issue is the function check_is_ipv6 of the component IPv6 Handler. The manipulation leads to reliance on ip address for authentication. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.CVE-2026-4252
  4. A vulnerability was determined in CityData CityChat up to 0.12.6 on Android. Affected by this vulnerability is an unknown functionality of the file resources/assets/flutter_assets/assets/credentials.json of the component ai.citydata.citychat. Executing a manipulation can lead to unprotected storage of credentials. The attack requires local access. A high complexity level is associated with this attack. The exploitation appears to be difficult. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.CVE-2026-4251
  5. Google Skia Out-of-Bounds Write VulnerabilityCVE-2026-3909

References

Sources include official advisories and independent security research.