cbcvebase.
CVE-2026-26119
published 2026-02-17

CVE-2026-26119: Improper authentication in Windows Admin Center allows an authorized attacker to elevate privileges over a network.

PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.80%
52.1th percentile
Improper authentication in Windows Admin Center allows an authorized attacker to elevate privileges over a network.

Affected

3 ranges
VendorProductVersion rangeFixed in
microsoftwindows_admin_center< 25112511
microsoftwindows_admin_center>= 1809.0 < 2.6.42.6.4
msrcwindows_admin_center

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2026-26119 affects Windows Admin Center (cpe:2.3:a:microsoft:windows_admin_center) and exploits improper authentication to allow network-based privilege escalation. Monitor for unexpected privilege elevation events originating from Windows Admin Center sessions over the network.
  • The attacker gains the rights of the user running the affected Windows Admin Center application. Alert on processes or actions spawned by the Windows Admin Center service account with elevated privileges not consistent with normal operation.
  • Microsoft rates this vulnerability as 'Exploitation More Likely' despite no confirmed in-the-wild exploitation at time of publication. Prioritize patching and monitor Windows Admin Center network traffic for anomalous authentication attempts.
  • A public exploit exists for CVE-2026-26119. Treat any unauthenticated or improperly authenticated requests to Windows Admin Center endpoints as high-priority alerts.
  • ·The fix for CVE-2026-26119 was released on February 20, 2026 (two separate fix entries). Ensure Windows Admin Center is updated to the patched version referenced at https://aka.ms/wac2511.
  • ·Customer action is required to remediate this vulnerability; it is not automatically patched. Refer to the official release notes linked from the MSRC advisory.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vendor_msrc8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.