Critical Azure SRE Agent Token Flaw Exposed Cross-Tenant AI Sessions
Researchers at Enclave disclosed a critical improper authentication flaw in Microsoft's Azure SRE Agent that allowed an outsider with only a free Azure account to observe another organization's AI operations agent in real time. The cross-tenant exposure stemmed from a token issuance process that accepted accounts from any Microsoft cloud tenant and a communication channel that verified token validity but not tenant ownership, enabling unauthorized access to live agent sessions.
Microsoft confirmed the issue, assigned CVE-2026-32173, rated it critical with a CVSS score of 8.6, and remediated it server-side. According to the disclosure, exposed data could include user prompts, agent responses, step-by-step reasoning, executed commands, command output, and even plaintext credentials, while generating no logs visible to the victim organization, underscoring wider concerns that enterprise AI agent deployments are outpacing governance and security controls.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Researchers publicly disclose the Azure SRE Agent vulnerability
Public reporting revealed the critical Azure SRE Agent flaw and its impact on cross-tenant exposure of AI operations data. The disclosure highlighted broader concerns that AI agent deployments are outpacing governance and security controls.
Microsoft assigns CVE-2026-32173 and remediates the issue server-side
Microsoft classified the flaw as improper authentication, assigned it CVE-2026-32173, rated it critical with a CVSS score of 8.6, and fixed it through a server-side remediation. The vulnerability affected token issuance and tenant validation in the agent communication channel.
Enclave reports the Azure SRE Agent flaw to Microsoft
Enclave disclosed the vulnerability to the Microsoft Security Response Center for investigation. Microsoft confirmed the issue after receiving the report.
Enclave discovers cross-tenant authentication flaw in Azure SRE Agent
Researchers at Enclave identified an improper authentication vulnerability in Microsoft's Azure SRE Agent that allowed outsiders with a free Azure account to observe another organization's AI agent activity in real time. The exposure included prompts, responses, reasoning steps, executed commands, command output, and plaintext credentials, with no victim-side logs generated.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
AI Agent Framework Flaws Turn Prompt Injection Into Code Execution and Persistence
Microsoft disclosed two critical vulnerabilities in its **Semantic Kernel** AI agent framework that could let prompt injection escalate into host compromise. `CVE-2026-26030` affected the Python implementation before version `1.39.4`, where unsafe `eval()`-based lambda construction in the Search Plugin’s default In-Memory Vector Store filter path enabled remote code execution, while `CVE-2026-25592` affected the .NET SDK before version `1.71.0` and allowed arbitrary file write through `SessionsPythonPlugin`’s `DownloadFileAsync`, creating a path to sandbox escape and host takeover; a related arbitrary file read issue was also present in upload handling. Microsoft said it hardened AST validation, restricted callable functions and attributes, removed unintended tool exposure, added path validation, and urged customers to patch and review endpoint telemetry for signs of exploitation. The disclosure lands amid broader warnings that AI agents can preserve and amplify malicious instructions through memory and context reuse. Cisco researchers recently showed that poisoned memory files in Anthropic’s **Claude Code** could persist across projects and sessions, steering the assistant to insert hard-coded secrets, choose insecure packages and configurations, and spread tainted changes to another developer. Researchers and defenders say the incidents reinforce that AI models are not security boundaries and that any model-influenced tool parameter, memory file, or context artifact should be treated as attacker-controlled input, with mitigations including patching vulnerable frameworks, scanning memory and dependency files, and purging stored agent memory after suspected compromise.
May 7, 2026
Microsoft Discloses Elevation-of-Privilege Flaws Across Azure Services
Microsoft has published multiple Security Update Guide entries for elevation-of-privilege vulnerabilities affecting cloud services including **Azure Resource Manager**, **Azure Entra ID**, **Azure AI Foundry**, and **Redis Enterprise**. The disclosed issues include `CVE-2026-47280` and `CVE-2026-24304` in Azure Resource Manager, `CVE-2026-24305` and `CVE-2025-55241` in Azure Entra ID, `CVE-2025-59271` in Redis Enterprise, and `CVE-2026-35435` in Azure AI Foundry, indicating a broader set of privilege-boundary weaknesses across Microsoft-managed platforms. Microsoft provided the most detail for **CVE-2026-35435**, describing it as a **critical** improper access control flaw in Azure AI Foundry M365 published agents that could be exploited remotely over the network without privileges or user interaction, with potential for high confidentiality impact. The company said exploitation was considered more likely, but the vulnerability had not been publicly disclosed or exploited at publication time, and the service-side issue was already fully mitigated with **no customer action required**; the remaining CVEs were listed with limited public detail in the update guide.
May 25, 2026
Microsoft Entra ID Flaw Let Agent Admins Take Over Service Principals
Microsoft fixed a privilege escalation flaw in **Entra ID** that allowed users with the built-in **Agent ID Administrator** role to take over arbitrary service principals, including identities unrelated to AI agents. Silverfort reported that the role could assign ownership over a target service principal, add new credentials, and then authenticate as that principal, effectively enabling full service principal takeover. The weakness stemmed from a scoping gap in Microsoft’s Agent Identity Platform, where a role intended to manage agent-related objects could also affect standard directory components. The exposure was especially serious in tenants with highly privileged service principals, where attackers could inherit sensitive API access, integrations, or directory-level roles and potentially reach **Global Administrator-equivalent** power. Silverfort said the abuse path was broadly relevant because most customer tenants it analyzed had at least one privileged service principal, while ownership changes could blend in with normal administrative activity and evade detection. Microsoft addressed the issue with a backend fix that restricted the **Agent ID Administrator** role to agent-related objects and said the remediation was fully rolled out by April 9.
Apr 28, 2026