Cyber Posture

CVE-2026-23658

High

Published: 19 March 2026

Published
19 March 2026
Modified
01 April 2026
KEV Added
Patch
CVSS Score 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.0010 27.2th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23658 is a high-severity Insufficiently Protected Credentials (CWE-522) vulnerability in Microsoft Azure Devops. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-28 (Protection of Information at Rest).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match
prevent

Directly mandates protecting authenticator content from unauthorized disclosure and modification, addressing the core issue of insufficiently protected credentials in Azure DevOps.

SC-28 Protection of Information at Rest good match
prevent

Requires cryptographic or other mechanisms to protect sensitive information like credentials at rest, preventing unauthorized network access to unprotected stored credentials.

AC-6 Least Privilege partial match
prevent

Enforces least privilege to limit the scope and impact of privilege elevation achieved through exploitation of insufficiently protected credentials.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
attack.mitre.org →
Why these techniques?

CVE directly describes a remotely exploitable flaw (AV:N/PR:N) in a public-facing cloud service (Azure DevOps) that exposes credentials due to insufficient protection (CWE-522), mapping to public-facing application exploitation and unsecured credential access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Insufficiently protected credentials in Azure DevOps allows an unauthorized attacker to elevate privileges over a network.

Deeper analysisAI

CVE-2026-23658 is a vulnerability involving insufficiently protected credentials in Azure DevOps, classified under CWE-522: Insufficiently Protected Credentials. Published on 2026-03-19, it carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), indicating high severity due to network accessibility, low attack complexity, no prerequisites for privileges or user interaction, and a changed scope with high confidentiality impact.

An unauthorized attacker (PR:N) can exploit this vulnerability over the network (AV:N) without user interaction (UI:N). Successful exploitation enables privilege elevation, allowing access to sensitive credentials and potentially compromising high-impact confidential data across the affected scope (S:C).

The Microsoft Security Response Center (MSRC) provides an update guide with details on this vulnerability, including mitigation recommendations, at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23658.

Details

CWE(s)
CWE-522

Affected Products

microsoft
azure devops
all versions

CVEs Like This One

CVE-2025-47158Same product: Microsoft Azure Devops
CVE-2026-42826Same product: Microsoft Azure Devops
CVE-2026-32171Same vendor: Microsoft
CVE-2026-20947Same vendor: Microsoft
CVE-2026-20856Same vendor: Microsoft
CVE-2025-21385Same vendor: Microsoft
CVE-2025-62549Same vendor: Microsoft
CVE-2025-59287Same vendor: Microsoft
CVE-2025-53766Same vendor: Microsoft
CVE-2026-21532Same vendor: Microsoft

References