PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-26147 Microsoft CVE debrief

CVE-2026-26147 is a HIGH severity vulnerability (CVSS 7.7) in Azure Compute Gallery resulting from improper input validation (CWE-20). An authorized attacker can exploit this flaw to disclose information over a network. The vulnerability was published on 2026-05-22 and last modified on 2026-05-26. The CVSS vector (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N) indicates network attack vector, low attack complexity, low privileges required, no user interaction, changed scope, and high confidentiality impact with no integrity or availability impact. Microsoft is the affected vendor per source reference attribution. The vulnerability is currently undergoing analysis in the NVD and is not listed in CISA KEV.

Vendor
Microsoft
Product
Azure Stack HCI
CVSS
HIGH 7.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-22
Original CVE updated
2026-05-27
Advisory published
2026-05-22
Advisory updated
2026-05-27

Who should care

Organizations using Azure Compute Gallery for VM image management and distribution; cloud security teams; Azure administrators; compliance officers monitoring for unauthorized data access in cloud environments

Technical summary

Improper input validation in Azure Compute Gallery enables authorized attackers to disclose sensitive information over network connections. The vulnerability requires low privileges and no user interaction, with changed scope amplifying potential exposure. High confidentiality impact with no integrity or availability effects.

Defensive priority

HIGH

Recommended defensive actions

  • Review Microsoft Security Response Center (MSRC) guidance for CVE-2026-26147 for patch availability and deployment timelines
  • Apply security updates from Microsoft for Azure Compute Gallery when released
  • Audit Azure Compute Gallery configurations for unauthorized access patterns
  • Implement network segmentation to limit exposure of Azure Compute Gallery resources
  • Monitor Azure activity logs for anomalous information access attempts by authorized users
  • Validate input sanitization in custom integrations with Azure Compute Gallery APIs

Evidence notes

CVSS 7.7 (HIGH) per NVD. CWE-20 (Improper Input Validation). Attack vector: network. Microsoft MSRC reference confirms vendor attribution. NVD status: Undergoing Analysis. Not in KEV.

Official resources

2026-05-22