CVE-2026-20849
Published: 13 January 2026
Summary
CVE-2026-20849 is a high-severity Reliance on Untrusted Inputs in a Security Decision (CWE-807) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 21.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-20849 is a vulnerability in Windows Kerberos stemming from reliance on untrusted inputs in a security decision, classified under CWE-807. It affects the Windows Kerberos authentication component, enabling an authorized attacker to potentially elevate privileges. The vulnerability received a CVSS v3.1 base score of 7.5, reflecting network accessibility (AV:N), high attack complexity (AC:H), low privileges required (PR:L), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). It was published on January 13, 2026.
An attacker with low-level authorized access, such as a domain user, can exploit this flaw over the network by manipulating untrusted inputs during Kerberos security decisions. Successful exploitation allows privilege escalation, potentially granting higher-level access within the Windows environment without requiring local presence or user interaction.
Microsoft's Security Response Center provides an update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20849, which details recommended mitigations and patches for addressing the vulnerability.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2160
Vulnerability details
Reliance on untrusted inputs in a security decision in Windows Kerberos allows an authorized attacker to elevate privileges over a network.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in Kerberos auth decision logic (untrusted input) directly enables network-based privilege escalation from low-priv domain account (T1068); exploitation commonly involves forging or abusing Kerberos tickets (T1558).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates CVE-2026-20849 by requiring timely identification, reporting, and correction of the specific flaw in Windows Kerberos.
Addresses CWE-807 by mandating validation of untrusted inputs used in Kerberos security decisions, rejecting invalid ones to block privilege escalation.
Requires Kerberos access control decisions to be based solely on valid inputs and authorized policies, preventing exploitation via untrusted data.