CVE-2026-26117

CWE-2884 documents4 sources

Severity

7.8HIGH

EPSS

0.1%

top 83.50%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Microsoft ARC Enabled Servers - Azure Connected Machine Agent Microsoft ARC Enabled Servers Azure Connected Machine Agent

Timeline

PublishedMar 10

Description

Authentication bypass using an alternate path or channel in Azure Windows Virtual Machine Agent allows an authorized attacker to elevate privileges locally.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

▶NVDmicrosoft/arc_enabled_servers_azure_connected_machine_agent1.0.0 — 1.61

▶CVEListV5microsoft/arc_enabled_servers_-_azure_connected_machine_agent1.0.0 — 1.61

🔴Vulnerability Details

GHSA

GHSA-76jf-fgc3-37rx: Authentication bypass using an alternate path or channel in Azure Windows Virtual Machine Agent allows an authorized attacker to elevate privileges lo↗2026-03-10

▶

CVEList

Arc Enabled Servers - Azure Connected Machine Agent Elevation of Privilege Vulnerability↗2026-03-10

▶

📋Vendor Advisories

Microsoft

Arc Enabled Servers - Azure Connected Machine Agent Elevation of Privilege Vulnerability↗2026-03-10

▶