CVE-2026-35428
Published: 07 May 2026
Summary
CVE-2026-35428 is a critical-severity Command Injection (CWE-77) vulnerability in Microsoft Azure Cloud Shell. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 43.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-28453
Vulnerability details
Improper neutralization of special elements used in a command ('command injection') in Azure Cloud Shell allows an unauthorized attacker to perform spoofing over a network.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection (CWE-77) in network-exposed Azure Cloud Shell directly enables remote command execution via T1190 (public app exploitation) and T1059.004 (Unix shell).
CVEs Like This One
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.