CVE-2026-26141

High

Published: 10 March 2026

Published

10 March 2026

Modified

13 March 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0005 16.3th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26141 is a high-severity Improper Authentication (CWE-287) vulnerability in Microsoft Azure Automation Hybrid Worker Windows Extension. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 16.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-2 Identification and Authentication (Organizational Users) good match

prevent

IA-2 requires unique identification and authentication of organizational users, directly addressing the improper authentication flaw that enables local privilege escalation in Azure Arc.

AC-3 Access Enforcement good match

prevent

AC-3 enforces approved authorizations for access to system resources, mitigating the incorrect authorization (CWE-863) that allows low-privileged attackers to elevate privileges.

AC-6 Least Privilege good match

prevent

AC-6 applies least privilege to limit authorized accesses, preventing privilege escalation exploits even with flawed authentication mechanisms.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

CVE describes local privilege escalation via improper authentication/authorization flaw in Azure Arc, directly matching exploitation of a software vulnerability for privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper authentication in Azure Arc allows an authorized attacker to elevate privileges locally.

Deeper analysisAI

CVE-2026-26141 is an improper authentication vulnerability affecting Azure Arc, published on 2026-03-10T18:18:42.957. It carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-287 (Improper Authentication) and CWE-863 (Incorrect Authorization). The issue enables an authorized attacker to elevate privileges locally due to flaws in the authentication mechanism.

A local attacker possessing low privileges (PR:L) can exploit this vulnerability with low attack complexity and no user interaction. Exploitation grants high impacts on confidentiality, integrity, and availability, allowing the attacker to escalate privileges on the affected Azure Arc-enabled system.

The Microsoft Security Response Center advisory provides details on mitigation and patches at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26141.

Details

CWE(s): CWE-287 CWE-863

Affected Products

microsoft

azure automation hybrid worker windows extension

1.0.0 — 1.3.74

CVEs Like This One

CVE-2026-26119Same vendor: Microsoft

CVE-2026-24294Same vendor: Microsoft

CVE-2026-26128Same vendor: Microsoft

CVE-2025-53778Same vendor: Microsoft

CVE-2025-54918Same vendor: Microsoft

CVE-2025-54914Same vendor: Microsoft

CVE-2026-24293Same vendor: Microsoft

CVE-2025-21359Same vendor: Microsoft

CVE-2025-21367Same vendor: Microsoft

CVE-2025-49739Same vendor: Microsoft

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26141
Vendor Advisory · secure@microsoft.com