CVE-2026-20849
Published: 13 January 2026
Summary
CVE-2026-20849 is a high-severity Reliance on Untrusted Inputs in a Security Decision (CWE-807) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 25.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Prevents reliance on untrusted matching results for security-relevant decisions by enforcing verification and contest procedures.
Providing authoritative attributes with the data reduces the need for security decisions to rely on untrusted external inputs.
Reduces reliance on untrusted inputs by ensuring only authorized sources may supply data.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in Kerberos auth decision logic (untrusted input) directly enables network-based privilege escalation from low-priv domain account (T1068); exploitation commonly involves forging or abusing Kerberos tickets (T1558).
NVD Description
Reliance on untrusted inputs in a security decision in Windows Kerberos allows an authorized attacker to elevate privileges over a network.
Deeper analysisAI
CVE-2026-20849 is a vulnerability in Windows Kerberos stemming from reliance on untrusted inputs in a security decision, classified under CWE-807. It affects the Windows Kerberos authentication component, enabling an authorized attacker to potentially elevate privileges. The vulnerability received a CVSS v3.1 base score of 7.5, reflecting network accessibility (AV:N), high attack complexity (AC:H), low privileges required (PR:L), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). It was published on January 13, 2026.
An attacker with low-level authorized access, such as a domain user, can exploit this flaw over the network by manipulating untrusted inputs during Kerberos security decisions. Successful exploitation allows privilege escalation, potentially granting higher-level access within the Windows environment without requiring local presence or user interaction.
Microsoft's Security Response Center provides an update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20849, which details recommended mitigations and patches for addressing the vulnerability.
Details
- CWE(s)