https://cybercrime.club/tags/azure/Recent content in Azure on cybercrime.clubHugoen-usFri, 03 Apr 2026 14:00:00 -0400https://cybercrime.club/posts/aks-cve-2026-33105-rbac-privilege-escalation/Fri, 03 Apr 2026 14:00:00 -0400https://cybercrime.club/posts/aks-cve-2026-33105-rbac-privilege-escalation/<p>Microsoft disclosed CVE-2026-33105 on April 3, 2026 — a critical improper authorization vulnerability in Azure Kubernetes Service that carries the maximum CVSS score of 10.0. The flaw exists in how AKS validates role-based access control (RBAC) enforcement for certain Kubernetes API requests, allowing an attacker to escalate from a standard user to full cluster administrator.</p> <p>If you run AKS clusters, stop reading and start patching.</p> <h2 id="what-happened">What Happened</h2> <p>The vulnerability is rooted in how AKS handles Kubernetes API requests related to cluster role bindings and service account permissions. Under specific conditions, the RBAC enforcement layer fails to correctly validate authorization checks, allowing an attacker to manipulate these requests and bind themselves to the <code>cluster-admin</code> ClusterRole — or create new privileged service accounts — without having the permissions to do so.</p>