← Back to all briefs
Security55s read

CVSS 10.0: Azure DevOps Hit With Maximum-Severity Information Disclosure Bug

CVE-2026-42826 lets unauthenticated attackers extract sensitive data from Azure DevOps with zero user interaction. CVSS score of 10.0, the highest possible. Here's what's exposed and how to check if you're patched.

Microsoft's May 2026 security update included CVE-2026-42826, a CVSS 10.0 vulnerability in Azure DevOps, the highest severity rating possible.

What makes it a 10.0

The CVSS vector ticks every box for maximum severity:

What's exposed

The vulnerability allows unauthenticated attackers to disclose sensitive information from Azure DevOps instances over the network. This includes:

The broader context

This lands in a year where CI/CD pipelines are increasingly the target of choice for attackers. Recent campaigns have targeted:

Immediate actions

  1. Apply the May 2026 security update, Microsoft has released patches
  2. Audit Azure DevOps audit logs for unauthorized access during the pre-patch window
  3. Rotate any credentials that were referenced in pipeline configurations
  4. Review network exposure, ensure Azure DevOps instances aren't unnecessarily internet-facing

The bottom line

A 10.0 CVSS score means this is as bad as it gets on the vulnerability scale. If you run Azure DevOps, apply the patch now and audit your exposure. The attack requires no authentication and no user interaction, script-kiddie friendly and likely already being scanned for.