Exposure of sensitive information to an unauthorized actor in Azure DevOps allows an unauthorized attacker to disclose information over a network.
The vulnerability classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) involves improper access control to protected resources or data in the Azure DevOps service. An attacker without any permissions can send a specially crafted request over the network and gain access to information that should be available only to authorized users. The vulnerability does not require user interaction, and its scope extends beyond the originally attacked component (Scope: Changed).
An attacker can remotely and without authentication disclose sensitive information stored or processed by Azure DevOps, which may include project data, source code, pipeline configurations, tokens, or other confidential organizational resources. Leakage of such data may lead to further attacks on IT infrastructure.
Patches available from the vendor should be applied according to references — details regarding updates are published in the Microsoft Security Response Center at: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42826
Microsoft Azure DevOps — versions indicated in vendor references (Microsoft Security Response Center)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HMicrosoft Azure Devops
APPMicrosoftwszystkie wersje
Related vulnerabilities
Authentication Bypass w Azure DevOps — eskalacja uprawnień przez sieć
Pominięcie uwierzytelnienia w Azure DevOps — eskalacja uprawnień przez sieć
Insufficiently protected credentials in Azure DevOps allows an unauthorized attacker to elevate privileges ove...
Atak na łańcuch dostaw DAEMON Tools Lite — trojanizacja instalatorów
RCE przez deserializację niezaufanych danych w Microsoft SharePoint Server