Enviar #828539: Azure 2026-03-17 Incorrect Privilege Assignmentinformación

TítuloAzure 2026-03-17 Incorrect Privilege Assignment
DescripciónAzure Backup for AKS incorrectly enables cluster-admin Trusted Access for any principal with Backup Contributor—a role with no Kubernetes access—allowing full cluster compromise without kubectl or RBAC permissions. CERT/CC independently validated this vulnerability as VU#284781 on 2026-04-16. Attack chain: (1) Attacker has Backup Contributor on backup vault, (2) enables backup on target AKS cluster, (3) Azure auto-grants Trusted Access with cluster-admin equivalent, (4) attacker extracts secrets via backup or restores malicious workloads. Microsoft silently patched this vulnerability without assigning a CVE, publishing a security advisory, or notifying customers. Evidence of patch: new error messages and permission requirements that did not exist during original testing. CVSS 3.1: 9.9 Critical (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
Fuente⚠️ https://olearysec.com/research/azure-backup-aks-silent-patch
Usuario
 olearysec (UID 98242)
Sumisión2026-05-13 17:49 (hace 22 días)
Moderación2026-06-01 15:51 (19 days later)
EstadoAceptado
Entrada de VulDB367647 [Microsoft Azure Backup for AKS 2026-03-17 escalada de privilegios]
Puntos20

AnteriorVisión De ConjuntoPróximo

Want to stay up to date on a daily basis?

Enable the mail alert feature now!