Skip to content

Add CVE-2026-32173: Azure SRE Agent Cross-Tenant Info Disclosure#471

Open
vanhoangkha wants to merge 1 commit into
wiz-sec:mainfrom
vanhoangkha:contribution/cve-2026-32173-azure-sre-agent
Open

Add CVE-2026-32173: Azure SRE Agent Cross-Tenant Info Disclosure#471
vanhoangkha wants to merge 1 commit into
wiz-sec:mainfrom
vanhoangkha:contribution/cve-2026-32173-azure-sre-agent

Conversation

@vanhoangkha

Copy link
Copy Markdown

Summary

Adds a vulnerability entry for CVE-2026-32173 — Azure SRE Agent Information Disclosure.

Closes #469

Details

  • Severity: HIGH (CVSS 8.6)
  • Platform: Azure
  • Service: Azure SRE Agent
  • Discovered by: Yanir Tsarimi @ Enclave
  • Published: 2026/04/20
  • Disclosed: 2026/04/02

Azure SRE Agent's WebSocket endpoint (/agentHub) was configured with multi-tenant app registration, allowing any Azure AD account from any organization to eavesdrop on agent conversations, executed commands, and credentials in real time — without leaving any trace in the victim's environment.

Patched server-side by Microsoft.

References

Addresses wiz-sec#469. Azure SRE Agent's WebSocket endpoint (/agentHub) was
configured with multi-tenant app registration, allowing any Azure AD
account to eavesdrop on agent conversations, commands, and credentials
in real time without leaving any trace.

Severity: HIGH (CVSS 8.6)
Discovered by: Yanir Tsarimi @ Enclave
Patched server-side by Microsoft.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Contribution] CVE-2026-32173 -- Azure SRE Agent Information Disclosure Vulnerability

1 participant