Azure

cloud-security 2026-04-28
Entra Agent ID Administrator Role Could Hijack Any Service Principal — CVE-2026-35431
A built-in Entra ID role meant to manage AI agents could be used to take ownership of any service principal in the tenant — including Global Administrator-equivalent ones — and authenticate as it. Microsoft patched cloud-side on April 9; Silverfort published technical details April 27.
entra-id azure identity privilege-escalation ai-agents service-principal cve-2026-35431 silverfort
Vulnerabilities 2026-04-06
CVE-2026-32211: Azure MCP Server Ships with No Auth — Your DevOps Secrets Are One Request Away
Critical CVSS 9.1 flaw in Azure MCP Server has zero authentication on critical functions, exposing API keys, tokens, repos, and pipeline configs to unauthenticated attackers. No patch available.
azure mcp devops authentication microsoft cicd
vulnerabilities 2026-04-03
CVE-2026-33105: Azure Kubernetes Service RBAC Bypass Scores Perfect 10.0 CVSS
Critical AKS vulnerability allows privilege escalation to cluster admin via RBAC bypass. CVSS 10.0. Patch now.
kubernetes azure aks rbac privilege-escalation cve

Entra Agent ID Administrator Role Could Hijack Any Service Principal — CVE-2026-35431