Cyber Resilience

CVE-2026-23658

High

Published: 19 March 2026

Published
19 March 2026
Modified
01 April 2026
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.0078 51.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-23658 is a high-severity Insufficiently Protected Credentials (CWE-522) vulnerability in Microsoft Azure Devops. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 48.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-28 (Protection of Information at Rest).

Deeper analysis

CVE-2026-23658 is a vulnerability involving insufficiently protected credentials in Azure DevOps, classified under CWE-522: Insufficiently Protected Credentials. Published on 2026-03-19, it carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), indicating high severity due to network accessibility, low attack complexity, no prerequisites for privileges or user interaction, and a changed scope with high confidentiality impact.

An unauthorized attacker (PR:N) can exploit this vulnerability over the network (AV:N) without user interaction (UI:N). Successful exploitation enables privilege elevation, allowing access to sensitive credentials and potentially compromising high-impact confidential data across the affected scope (S:C).

The Microsoft Security Response Center (MSRC) provides an update guide with details on this vulnerability, including mitigation recommendations, at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23658.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Insufficiently protected credentials in Azure DevOps allows an unauthorized attacker to elevate privileges over a network.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
Why these techniques?

CVE directly describes a remotely exploitable flaw (AV:N/PR:N) in a public-facing cloud service (Azure DevOps) that exposes credentials due to insufficient protection (CWE-522), mapping to public-facing application exploitation and unsecured credential access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-47158Same product: Microsoft Azure Devops
CVE-2026-42826Same product: Microsoft Azure Devops
CVE-2026-32171Same vendor: Microsoft
CVE-2026-23659Same vendor: Microsoft
CVE-2025-59237Same vendor: Microsoft
CVE-2025-55232Same vendor: Microsoft
CVE-2026-21532Same vendor: Microsoft
CVE-2025-53772Same vendor: Microsoft
CVE-2025-21368Same vendor: Microsoft
CVE-2026-21531Same vendor: Microsoft

Affected Assets

microsoft
azure devops
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates protecting authenticator content from unauthorized disclosure and modification, addressing the core issue of insufficiently protected credentials in Azure DevOps.

prevent

Requires cryptographic or other mechanisms to protect sensitive information like credentials at rest, preventing unauthorized network access to unprotected stored credentials.

prevent

Enforces least privilege to limit the scope and impact of privilege elevation achieved through exploitation of insufficiently protected credentials.

References