{ "document": { "acknowledgments": [ { "names": [ "Rajesh Chada with Microsoft" ] } ], "aggregate_severity": { "namespace": "https://www.microsoft.com/en-us/msrc/security-update-severity-rating-system", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Public", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en-US", "notes": [ { "category": "general", "text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle", "title": "Additional Resources" }, { "category": "legal_disclaimer", "text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.", "title": "Disclaimer" }, { "category": "general", "text": "Required. The vulnerability documented by this CVE requires customer action to resolve.", "title": "Customer Action" } ], "publisher": { "category": "vendor", "contact_details": "secure@microsoft.com", "name": "Microsoft Security Response Center", "namespace": "https://msrc.microsoft.com" }, "references": [ { "category": "self", "summary": "CVE-2026-42823 Azure Logic Apps Elevation of Privilege Vulnerability - HTML", "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42823" }, { "category": "self", "summary": "CVE-2026-42823 Azure Logic Apps Elevation of Privilege Vulnerability - CSAF", "url": "https://msrc.microsoft.com/csaf/advisories/2026/msrc_cve-2026-42823.json" }, { "category": "external", "summary": "Microsoft Exploitability Index", "url": "https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1" }, { "category": "external", "summary": "Microsoft Support Lifecycle", "url": "https://support.microsoft.com/lifecycle" }, { "category": "external", "summary": "Common Vulnerability Scoring System", "url": "https://www.first.org/cvss" } ], "title": "Azure Logic Apps Elevation of Privilege Vulnerability", "tracking": { "current_release_date": "2026-05-12T07:00:00.000Z", "generator": { "date": "2026-05-13T17:58:07.530Z", "engine": { "name": "MSRC Generator", "version": "1.0" } }, "id": "msrc_CVE-2026-42823", "initial_release_date": "2026-05-12T07:00:00.000Z", "revision_history": [ { "date": "2026-05-12T07:00:00.000Z", "legacy_version": "1", "number": "1", "summary": "Information published." } ], "status": "final", "version": "1" } }, "vulnerabilities": [ { "cve": "CVE-2026-42823", "cwe": { "id": "CWE-284", "name": "Improper Access Control" }, "notes": [ { "category": "general", "text": "Microsoft", "title": "Assigning CNA" }, { "category": "faq", "text": "Customers will be notified via Azure Service Health notification if they are impacted by this vulnerability. These alerts will include specific mitigation guidance and required actions for affected Azure Logic Apps resources.\nCustomers who have received an Azure Service Health notification for this issue can reference** Tracking ID:** 1P8-C0G in the Azure portal to review the applicable guidance and required remediation steps.\nThe Security Updates table for this CVE will be updated as additional information becomes available.\nAdditionally, customers who have subscribed to the Security Update Guide will be notified when this CVE is revised to reflect updated guidance or mitigation details. If you wish to be notified when updates are released, we recommend registering for security notifications to stay informed of content changes.", "title": "What do customers do to protect themselves from the vulnerability?" } ], "product_status": { "fixed": [ "12228" ], "known_affected": [ "1" ] }, "references": [ { "category": "self", "summary": "CVE-2026-42823 Azure Logic Apps Elevation of Privilege Vulnerability - HTML", "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42823" }, { "category": "self", "summary": "CVE-2026-42823 Azure Logic Apps Elevation of Privilege Vulnerability - CSAF", "url": "https://msrc.microsoft.com/csaf/advisories/2026/msrc_cve-2026-42823.json" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "environmentalsScore": 0.0, "exploitCodeMaturity": "UNPROVEN", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "remediationLevel": "OFFICIAL_FIX", "reportConfidence": "CONFIRMED", "scope": "CHANGED", "temporalScore": 8.6, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C", "version": "3.1" }, "products": [ "1" ] } ], "threats": [ { "category": "impact", "details": "Elevation of Privilege" }, { "category": "exploit_status", "details": "Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation Less Likely" } ], "title": "Azure Logic Apps Elevation of Privilege Vulnerability" } ] }