CVE-2026-21532
Published: 05 February 2026
Summary
CVE-2026-21532 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Microsoft Azure Functions. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 46.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AU-13 (Monitoring for Information Disclosure) and SC-7 (Boundary Protection).
Deeper analysis
CVE-2026-21532 is an information disclosure vulnerability, classified under CWE-200, affecting Azure Functions. Published on 2026-02-05T23:15:54.317, it carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), indicating a high-severity issue where sensitive information can be exposed to unauthorized actors.
The vulnerability can be exploited remotely by unauthenticated attackers (PR:N) over the network (AV:N) with low complexity (AC:L) and no user interaction required (UI:N). Successful exploitation enables high-impact confidentiality loss (C:H), such as disclosure of sensitive data, alongside low integrity impact (I:L) and no disruption to availability (A:N), within an unchanged security scope (S:U).
Mitigation guidance is available in the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21532.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5521
Vulnerability details
Azure Function Information Disclosure Vulnerability
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated network exploitation of Azure Functions for sensitive data disclosure directly aligns with public-facing application exploitation; info disclosure nature precludes tighter mappings without specifics on leaked data.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely identification, reporting, and correction of flaws, directly mitigating this Azure Functions information disclosure vulnerability through patching.
Specifically monitors for indicators of information disclosure, enabling detection of exploitation attempts against CVE-2026-21532 by unauthenticated remote attackers.
Monitors and controls communications at external boundaries, preventing unauthenticated network access that could exploit the vulnerability to disclose sensitive information.