Cyber Resilience

CVE-2026-21532

High

Published: 05 February 2026

Published
05 February 2026
Modified
12 February 2026
KEV Added
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS Score 0.0084 53.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-21532 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Microsoft Azure Functions. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 46.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AU-13 (Monitoring for Information Disclosure) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2026-21532 is an information disclosure vulnerability, classified under CWE-200, affecting Azure Functions. Published on 2026-02-05T23:15:54.317, it carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), indicating a high-severity issue where sensitive information can be exposed to unauthorized actors.

The vulnerability can be exploited remotely by unauthenticated attackers (PR:N) over the network (AV:N) with low complexity (AC:L) and no user interaction required (UI:N). Successful exploitation enables high-impact confidentiality loss (C:H), such as disclosure of sensitive data, alongside low integrity impact (I:L) and no disruption to availability (A:N), within an unchanged security scope (S:U).

Mitigation guidance is available in the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21532.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Azure Function Information Disclosure Vulnerability

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote unauthenticated network exploitation of Azure Functions for sensitive data disclosure directly aligns with public-facing application exploitation; info disclosure nature precludes tighter mappings without specifics on leaked data.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-23659Same vendor: Microsoft
CVE-2026-21260Same vendor: Microsoft
CVE-2026-21524Same vendor: Microsoft
CVE-2026-40379Same vendor: Microsoft
CVE-2026-41615Same vendor: Microsoft
CVE-2025-59237Same vendor: Microsoft
CVE-2025-55232Same vendor: Microsoft
CVE-2025-53772Same vendor: Microsoft
CVE-2025-21368Same vendor: Microsoft
CVE-2026-21531Same vendor: Microsoft

Affected Assets

microsoft
azure functions
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and correction of flaws, directly mitigating this Azure Functions information disclosure vulnerability through patching.

detect

Specifically monitors for indicators of information disclosure, enabling detection of exploitation attempts against CVE-2026-21532 by unauthenticated remote attackers.

prevent

Monitors and controls communications at external boundaries, preventing unauthenticated network access that could exploit the vulnerability to disclose sensitive information.

References