CVSS 10.0: Azure DevOps Hit With Maximum-Severity Information Disclosure Bug
CVE-2026-42826 lets unauthenticated attackers extract sensitive data from Azure DevOps with zero user interaction. CVSS score of 10.0, the highest possible. Here's what's exposed and how to check if you're patched.
Microsoft's May 2026 security update included CVE-2026-42826, a CVSS 10.0 vulnerability in Azure DevOps, the highest severity rating possible.
What makes it a 10.0
The CVSS vector ticks every box for maximum severity:
- Attack complexity: Low, no special conditions required
- Privileges required: None, unauthenticated access
- User interaction: None, no phishing or social engineering needed
- Scope: Changed, impacts resources beyond the vulnerable component
What's exposed
The vulnerability allows unauthenticated attackers to disclose sensitive information from Azure DevOps instances over the network. This includes:
- Source code stored in repositories
- Pipeline configurations and secrets references
- Work item data and attachments
- Build artifacts and release definitions
The broader context
This lands in a year where CI/CD pipelines are increasingly the target of choice for attackers. Recent campaigns have targeted:
- GitHub Actions, the
tj-actions/changed-filescompromise impacted 23,000+ repositories - Pipe-Psiphon, malware scraping secrets from CI/CD runner memory
- npm/PyPI/Docker Hub, three simultaneous supply-chain campaigns in April 2026
Immediate actions
- Apply the May 2026 security update, Microsoft has released patches
- Audit Azure DevOps audit logs for unauthorized access during the pre-patch window
- Rotate any credentials that were referenced in pipeline configurations
- Review network exposure, ensure Azure DevOps instances aren't unnecessarily internet-facing
The bottom line
A 10.0 CVSS score means this is as bad as it gets on the vulnerability scale. If you run Azure DevOps, apply the patch now and audit your exposure. The attack requires no authentication and no user interaction, script-kiddie friendly and likely already being scanned for.