PatchSiren cyber security CVE debrief
CVE-2026-35430 Microsoft CVE debrief
A high-severity authorization bypass vulnerability in Azure Privileged Identity Management (PIM) permits an authenticated attacker to escalate privileges via network access. The flaw stems from improper handling of user-controlled keys (CWE-639), allowing privilege elevation without additional user interaction. Published by NVD on 2026-05-22 and last modified on 2026-05-26, this vulnerability is currently undergoing analysis with no known exploitation in ransomware campaigns. Microsoft has acknowledged the issue through their Security Response Center. Organizations using Azure PIM should prioritize reviewing Microsoft's guidance and applying any available mitigations or updates.
- Vendor
- Microsoft
- Product
- Azure Privileged Identity Management (PIM)
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-22
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-22
- Advisory updated
- 2026-05-27
Who should care
Organizations utilizing Microsoft Azure Privileged Identity Management for just-in-time privileged access; Azure administrators and identity architects; security teams responsible for cloud identity governance; compliance officers managing privileged access controls in Azure environments
Technical summary
CVE-2026-35430 is an authorization bypass vulnerability in Azure Privileged Identity Management (PIM) rated CVSS 8.8 (High). The vulnerability allows an authenticated attacker with low privileges to escalate privileges over the network by manipulating user-controlled keys, without requiring user interaction. The underlying weakness is CWE-639 (Authorization Bypass Through User-Controlled Key). The attack complexity is low, and successful exploitation results in high impact to confidentiality, integrity, and availability of Azure resources managed through PIM. The vulnerability was published to NVD on 2026-05-22 and modified on 2026-05-26; it is not currently listed in CISA KEV.
Defensive priority
HIGH
Recommended defensive actions
- Monitor Microsoft Security Response Center (MSRC) for security updates and detailed mitigation guidance for Azure Privileged Identity Management
- Review Azure PIM role assignments and activation policies to enforce least-privilege principles and reduce attack surface
- Audit PIM activity logs for anomalous privilege activation patterns that may indicate exploitation attempts
- Implement conditional access policies requiring additional authentication factors for sensitive role activations in Azure AD/Entra ID
- Subscribe to Azure service health notifications and security advisories for timely awareness of patch availability
Evidence notes
CVE description identifies Azure Privileged Identity Management as the affected component. CVSS 3.1 vector confirms network attack vector with low attack complexity and high impact on confidentiality, integrity, and availability. CWE-639 (Authorization Bypass Through User-Controlled Key) is the primary weakness. Microsoft MSRC reference confirms vendor acknowledgment. Vendor attribution to Microsoft is based on reference domain evidence with low confidence due to 'Unknown Vendor' classification in source data; review recommended.
Official resources
-
CVE-2026-35430 CVE record
CVE.org
-
CVE-2026-35430 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-22T23:16:47.853Z