Improper authorization in Microsoft Azure Kubernetes Service allows an unauthorized attacker to elevate privileges over a network.
The vulnerability consists of improper authorization (CWE-285, CWE-863), meaning that access control mechanisms in Microsoft Azure Kubernetes Service do not correctly verify the requester's permissions. An attacker without any credentials, acting remotely over the network, can bypass these controls and obtain elevated privileges. The attack vector does not require user interaction or special prerequisites, making the exploit particularly easy to carry out at scale.
An attacker can obtain elevated privileges in the Azure Kubernetes Service environment, potentially leading to complete takeover of the cluster, disclosure of sensitive data, and disruption of hosted containerized applications.
Apply patches available from the vendor according to references — updates described in Microsoft Security Response Center at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33105. It is recommended to immediately check patch availability and deploy them, as well as monitor unauthorized access attempts to AKS clusters.
Microsoft Azure Kubernetes Service — versions indicated in vendor references (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33105)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HMicrosoft Azure Kubernetes Service
APPMicrosoftwszystkie wersje
Related vulnerabilities
RCE w Microsoft Azure Kubernetes Service Confidential Containers
Privilege escalation w Azure Kubernetes Service Confidential Containers
Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability
Azure Virtual Machine Information Disclosure Vulnerability
Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability