Microsoft rejects critical Azure vulnerability report, no CVE issued
Microsoft has rejected a report detailing a critical vulnerability in Azure Backup for AKS, claiming that the issue does not constitute a security flaw. The researcher who reported the vulnerability argues that it allows unauthorized users to gain cluster-admin access. Despite the rejection, subsequent observations suggest that Microsoft may have implemented changes that address the reported issue.
- ▪A security researcher reported a critical privilege escalation flaw in Azure Backup for AKS to Microsoft.
- ▪Microsoft disputed the claim, stating that the behavior was expected and no product changes were made.
- ▪The researcher escalated the issue to CERT, which validated the vulnerability and assigned it an identifier.
Opening excerpt (first ~120 words) tap to expand
Microsoft rejects critical Azure vulnerability report, no CVE issued By Ax Sharma May 16, 2026 04:55 PM 5 A security researcher claims Microsoft quietly fixed an Azure Backup for AKS vulnerability after rejecting his report, and blocking a CVE from being issued. The researcher's report describes a critical privilege escalation flaw that allowed cluster-admin access from the low-privileged "Backup Contributor" role. Microsoft disputes the claim, telling BleepingComputer the behavior was expected and that "no product changes were made," despite the researcher documenting new permission checks and failed exploit attempts after disclosure, suggestive of a silent patch.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at BleepingComputer.
Discussion
0 commentsMore from BleepingComputer
