CVE-2026-23658
Published: 19 March 2026
Summary
CVE-2026-23658 is a high-severity Insufficiently Protected Credentials (CWE-522) vulnerability in Microsoft Azure Devops. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 48.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-28 (Protection of Information at Rest).
Deeper analysis
CVE-2026-23658 is a vulnerability involving insufficiently protected credentials in Azure DevOps, classified under CWE-522: Insufficiently Protected Credentials. Published on 2026-03-19, it carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), indicating high severity due to network accessibility, low attack complexity, no prerequisites for privileges or user interaction, and a changed scope with high confidentiality impact.
An unauthorized attacker (PR:N) can exploit this vulnerability over the network (AV:N) without user interaction (UI:N). Successful exploitation enables privilege elevation, allowing access to sensitive credentials and potentially compromising high-impact confidential data across the affected scope (S:C).
The Microsoft Security Response Center (MSRC) provides an update guide with details on this vulnerability, including mitigation recommendations, at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23658.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-13174
Vulnerability details
Insufficiently protected credentials in Azure DevOps allows an unauthorized attacker to elevate privileges over a network.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE directly describes a remotely exploitable flaw (AV:N/PR:N) in a public-facing cloud service (Azure DevOps) that exposes credentials due to insufficient protection (CWE-522), mapping to public-facing application exploitation and unsecured credential access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates protecting authenticator content from unauthorized disclosure and modification, addressing the core issue of insufficiently protected credentials in Azure DevOps.
Requires cryptographic or other mechanisms to protect sensitive information like credentials at rest, preventing unauthorized network access to unprotected stored credentials.
Enforces least privilege to limit the scope and impact of privilege elevation achieved through exploitation of insufficiently protected credentials.