Summary
CVE-2026-21532 in Azure Functions lets attackers remotely access sensitive data, mainly affecting confidentiality with minor impact on integrity and availability. The National Vulnerability Database and Microsoft’s Security Update Guide both list the issue, which was first reported on February 5, 2026, with Microsoft Corporation as the CNA.
Urgent Actions Required
- Check Microsoft’s Security Update Guide for CVE-2026-21532.
- Apply the February 2026 Microsoft security updates to all relevant Azure Functions.
Which Systems Are Vulnerable to CVE-2026-21532?
Technical Overview
- Vulnerability Type: Information Disclosure
- Affected Software/Versions:
Azure Functions (Hosted Service) - CVSS Vector: v3.1
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
- Patch Availability: Yes, available
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21532
What Causes CVE-2026-21532?
Vulnerability Root Cause:
CVE-2026-21532 in Azure Functions is an information disclosure issue (CWE-200) that lets sensitive data be accessed remotely without authentication or user action. The exact technical cause has not been made public.
CVSS Breakdown Table
| Metric | Value | Description |
|---|---|---|
| Base Score | 8.2 | Reflects a high-severity vulnerability primarily impacting confidentiality |
| Attack Vector | Network | Can be triggered remotely over a network |
| Attack Complexity | Low | No special conditions are required for exploitation |
| Privileges Required | None | Does not require authentication |
| User Interaction | None | No action from a user is necessary |
| Scope | UnChanged | Impact remains within the affected service boundary |
| Confidentiality Impact | High | May result in exposure of sensitive information |
| Integrity Impact | Low | Limited effect on data integrity |
| Availability Impact | None | No service disruption impact indicated |
References:
