High

Improper Authentication Information Disclosure in Azure SRE Agent

IdentifiersCVE-2026-32173CWE-287· Improper Authentication

CVE-2026-32173 is an improper authentication vulnerability in Microsoft Azure SRE Agent, a hosted Azure cloud operations agent that streams operational activity in real time. According to the provided reporting and advisory material, the flaw was caused by a token issuance and validation design that accepted valid tokens from any Microsoft cloud tenant but failed to verify that the token holder belonged to the target organization. As a result, the agent communication channel effectively exposed session data to unauthorized cross-tenant observers. Reported exposed data included user prompts, agent responses, the agent's step-by-step reasoning, executed commands, command details, command output, and in testing, plaintext deployment credentials. Microsoft classified the issue as improper authentication and information disclosure, assigned CVE-2026-32173, and remediated it server-side.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allowed unauthorized network-based disclosure of sensitive information from Azure SRE Agent sessions. Based on the supplied context, an attacker could observe another organization's agent activity in real time, including operational prompts, responses, reasoning traces, commands executed against infrastructure, command output, and potentially plaintext credentials. The provided CVSS v3.1 vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N indicates high confidentiality impact with no demonstrated integrity or availability impact. The reporting also states victim organizations had no visibility into unauthorized observation because relevant connection evidence was not available on the victim side.

Mitigation

If you can’t patch tonight, do this now.

No customer mitigation is required per Microsoft's advisory because the issue was remediated server-side in the hosted service. Prior to remediation, the practical exposure conditions described in the reporting were tied to the service's authentication and authorization design, not to a customer-configurable setting.

Remediation

Patch, then assume compromise.

Microsoft states the vulnerability has already been fully mitigated by Microsoft through a service-side fix. No customer remediation is required according to the MSRC advisory. The underlying corrective action, based on the provided context, would involve enforcing tenant-aware authorization on the Azure SRE Agent communication channel and ensuring issued tokens are validated not only for authenticity but also for authorization to access the specific target tenant/session.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Microsoft CorporationAzure Sre Agentapplication

Microsoft CorporationAzure Sre Agent Gateway Signalr Hubapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

12 SOURCESView more in app

bank info securityNews

Apr 20, 2026

A Token Flaw Turned Azure's AI Agent Into a Spy

An improper authentication vulnerability in Microsoft's Azure SRE Agent communication channel that allowed any Azure account from any tenant to obtain a valid token and observe another company's agent activity, including commands, reasoning, outputs, and credentials.

govinfosecurityNews

Apr 20, 2026

A Token Flaw Turned Azure's AI Agent Into a Spy

An improper authentication flaw in Microsoft's Azure SRE Agent communication channel allowed any Azure account from any tenant to obtain a valid token and observe another company's agent activity, including commands, reasoning, outputs, and exposed credentials.

cvefeed high severityNews

Apr 3, 2026

CVE-2026-32173 - Azure SRE Agent Information Disclosure Vulnerability

An improper authentication vulnerability in Azure SRE Agent that allows an unauthorized attacker to disclose information over a network.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity9

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-32173

NVD

nvd.nist.gov/vuln/detail/CVE-2026-32173

MITRE CWE · CWE-287

Improper Authentication

Vendor Advisory

msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32173