Skip to content
Threat Feed
high advisory

CVE-2026-35430 — Azure PIM Authorization Bypass via User-Controlled Key

CVE-2026-35430 allows an authorized attacker to elevate privileges over a network in Azure Privileged Identity Management (PIM) through a user-controlled key.

CVE-2026-35430 is an authorization bypass vulnerability affecting Azure Privileged Identity Management (PIM). An authorized attacker can exploit this vulnerability to elevate privileges over a network. This is achieved by manipulating a user-controlled key within the PIM system, leading to unauthorized access and control. This vulnerability poses a significant risk to organizations relying on Azure PIM for managing privileged access, potentially allowing attackers to compromise critical resources and data. The vulnerability was reported to Microsoft and assigned a CVSS v3.1 score of 8.8, indicating a high severity. Defenders should prioritize patching and monitoring for any suspicious activity related to PIM.

Attack Chain

  1. An attacker gains initial access to an Azure account with some level of authorization.
  2. The attacker identifies the Azure PIM service as a potential target for privilege escalation.
  3. The attacker discovers a user-controlled key within the Azure PIM configuration.
  4. The attacker modifies the user-controlled key to bypass authorization checks.
  5. The attacker attempts to activate a privileged role within Azure PIM.
  6. Due to the manipulated key, the attacker is granted the privileged role despite lacking proper authorization.
  7. The attacker uses the elevated privileges to access and control network resources.

Impact

Successful exploitation of CVE-2026-35430 allows an attacker to gain unauthorized privileged access within an Azure environment. This can lead to a complete compromise of the targeted network, including access to sensitive data, modification of critical configurations, and disruption of services. The impact is significant for organizations relying on Azure PIM to protect their infrastructure and data, potentially leading to substantial financial and reputational damage.

Recommendation

  • Apply the patch provided by Microsoft for CVE-2026-35430 as soon as possible to prevent exploitation.
  • Monitor Azure logs for any unauthorized attempts to activate privileged roles in PIM, using the provided Sigma rules.
  • Implement multi-factor authentication (MFA) for all user accounts, especially those with privileged access, to reduce the risk of initial access.

Detection coverage 2

Detect CVE-2026-35430 Exploitation Attempt - Azure PIM Role Activation with Suspicious Key Modification

high

Detects attempts to activate privileged roles in Azure PIM after a suspicious modification of user-controlled keys, potentially indicating CVE-2026-35430 exploitation.

sigma tactics: cve-2026-35430, privilege_escalation techniques: T1068 sources: cloudtrail, aws

Detect CVE-2026-35430 - Anomalous Azure AD Authentication Context Modification

medium

Detects modifications to Azure AD authentication contexts, which might indicate an attempt to exploit CVE-2026-35430 by manipulating user-controlled keys.

sigma tactics: cve-2026-35430, privilege_escalation techniques: T1556.006 sources: cloudtrail, aws

Detection queries are available on the platform. Get full rules →