We use optional cookies to improve your experience on our websites, such as through social media connections, and to display personalized advertising based on your online activity. If you reject optional cookies, only cookies necessary to provide you the services will be used. You may change your selection by clicking “Manage Cookies” at the bottom of the page. Privacy Statement Third-Party Cookies Accept Reject Manage cookies MSRC  Customer Guidance  Security Update Guide  Vulnerabilities  CVE-2026-42822 Azure Local Disconnected Operations (ALDO) Elevation of Privilege Vulnerability New On this page  CVE-2026-42822  Subscribe RSS PowerShell  API  CSAF Security Vulnerability Released: May 18, 2026 Assigning CNA Microsoft CVE.org link CVE-2026-42822  Impact Elevation of Privilege Max Severity Critical Weakness CWE-287: Improper Authentication CVSS Source Microsoft Vector String CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C Metrics CVSS:3.1 10.0 / 8.7  Base score metrics: 10.0 / Temporal score metrics: 8.7  Expand all  Collapse all Metric Value   Base score metrics(8) Attack Vector Network Attack Complexity Low Privileges Required None User Interaction None Scope Changed Confidentiality High Integrity High Availability High   Temporal score metrics(3) Exploit Code Maturity Unproven Remediation Level Official Fix Report Confidence Confirmed Please see Common Vulnerability Scoring System for more information on the definition of these metrics. Executive Summary Improper authentication in Azure Local Disconnected Operations allows an unauthorized attacker to elevate privileges over a network. Exploitability The following table provides an exploitability assessment for this vulnerability at the time of original publication. Publicly disclosed No Exploited No Exploitability assessment Exploitation More Likely FAQ How do I protect myself from this vulnerability? For Azure Resource Manager (ARM) customers: Microsoft has deployed a mitigation for this vulnerability across Microsoft‑operated Azure environments. Customers using Azure services hosted by Microsoft are already protected. There is no customer action to take. For Azure Local Disconnected Operations (ALDO) customers: To protect against this vulnerability, customers must update their Azure Local Disconnected Operations (ALDO) environment to the latest available release (version 2604 or later). Updates are not available as standalone patches and must be applied as a full system update through the Azure portal. ALDO is a restricted offering, and updates are only available to approved customers via allow-listing. Customers should follow Microsoft guidance to obtain access and apply the update, using the following documentation: How to deploy Disconnected Operations for Azure Local How to update Disconnected Operations for Azure Local What privileges could be gained by an attacker who successfully exploited the vulnerability? An attacker could gain elevated privileges beyond those normally available to them, allowing actions such as accessing restricted information or performing operations that are typically limited to more highly privileged users or administrators. How could an attacker exploit this vulnerability? The most realistic exploitation scenario involves a malicious or compromised insider with existing access to the customer’s environment. An attacker could exploit this vulnerability if they: Already have access to the internal environment (e.g., an internal user, contractor, or compromised account). Possess or can obtain relevant identity information such as tenant identifiers, user identifiers, credentials, or tokens. Use this access to interact with and attempt exploitation within the Azure Local Disconnected Operations (ALDO) environment. Because an insider or compromised internal identity already satisfies many of the environmental and authentication requirements, they may bypass several of the barriers that would otherwise make exploitation more difficult. In external attacker scenarios, exploitation is significantly more constrained. An attacker would first need to: Gain access to the customer’s internal network (which may require physical presence or prior compromise), and Obtain valid identity context within the environment. Additionally, Azure Local Disconnected Operations is designed to operate in a disconnected and isolated configuration, limiting direct external exposure and reducing the likelihood of opportunistic remote exploitation. According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability? An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities. Acknowledgements Sridhar Periyasamy Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure. See Acknowledgements for more information. Security Updates To determine the support lifecycle for your software, see the Microsoft Support Lifecycle. Release date Descending  Edit columns  Download  Filters  Product Family  Max Severity  Impact  Platform   Clear Release date  Product Platform Impact Max Severity Article Download Build Number Assigning CNA Customer Action Required Title: Release date, Content: May 18, 2026 Azure Local - Elevation of Privilege Critical Title: Knowledge Base Articles for Azure Local, Content:, 1 link Release Notes  Title: Download Security Update for Azure Local, Content:, 1 link Security Update Title: Build numbers, Content: 2604.2.25645 Title: Assigning CNA, Content: Microsoft Title: Customer action required, Content: Required Title: Release date, Content: May 18, 2026 Azure Resource Manager - Elevation of Privilege Critical - - Title: Build numbers, Content: - Title: Assigning CNA, Content: Microsoft Title: Customer action required, Content: Required All results loaded Loaded all 2 rows Disclaimer The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions version revisionDate description 1.0 May 18, 2026 Information published.  How satisfied are you with the MSRC Security Update Guide? Rating  Broken  Bad  Below average  Average  Great!  Your Privacy Choices Consumer Health Privacy