CVE-2026-45480

Published Jun 19, 2026

Last updated 3 days ago

CVSS critical 10.0

Overview

Description
Improper authentication in Azure Active Directory allows an unauthorized attacker to elevate privileges over a network.
Source
secure@microsoft.com
NVD status
Analyzed
CNA Tags
exclusively-hosted-service
Products
azure_active_directory

Risk scores

CVSS 3.1

Type
Secondary
Base score
10
Impact score
6
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

secure@microsoft.com
CWE-287

Social media

Hype score
Not currently trending

  1. A lot of offensive activities were identified targeting Microsoft Azure (CVE-2026-45480) https://t.co/zy9sENcNGO

    @vuldb

    20 Jun 2026

    39 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Microsoft Azure Active Directory B2C Spoofing VulnerabilityCVE-2024-21381
  2. An information disclosure vulnerability manifests when a user or an application uploads unprotected private key data as part of an authentication certificate keyCredential  on an Azure AD Application or Service Principal (which is not recommended). This vulnerability allows a user or service in the tenant with application read access to read the private key data that was added to the application. Azure AD addressed this vulnerability by preventing disclosure of any private key values added to the application. Microsoft has identified services that could manifest this vulnerability, and steps that customers should take to be protected. Refer to the FAQ section for more information. For more details on this issue, please refer to the MSRC Blog Entry.CVE-2021-42306

References

Sources include official advisories and independent security research.