In brief: Microsoft is blocking CVE assignment for a CERT-confirmed Azure Backup vulnerability with privilege escalation potential, despite documentation suggesting a retroactive fix was applied.
A security researcher accuses Microsoft of silently patching a critical vulnerability in Azure Backup for AKS after rejecting the disclosure and blocking CVE assignment. The flaw would have allowed attackers with the low-privileged “Backup Contributor” role to escalate rights to cluster administrator level.
Security researcher Justin O’Leary discovered the vulnerability in March and reported it to Microsoft on March 17, 2026. The Microsoft Security Response Center (MSRC) rejected the report on April 13, arguing that the flaw would only allow an attacker to gain administrator rights on a cluster where they already had administrative access. This characterization significantly contradicts O’Leary’s findings: in reality, users without any Kubernetes permissions could escalate to cluster admin through the vulnerability—without requiring prior cluster access.
Microsoft told MITRE that O’Leary’s report contained “AI-generated content,” according to the researcher. O’Leary then contacted the CERT Coordination Center, which independently confirmed the vulnerability on April 16 and assigned tracking ID VU#284781. A public disclosure was scheduled for June 1, 2026, but did not occur.
On May 4, Microsoft employees contacted MITRE and recommended against issuing a CVE assignment—again arguing that administrative access rights were required. O’Leary documents, however, that Microsoft added new permission checks after his disclosure, and his exploits subsequently failed, suggesting a retroactive fix. Microsoft contends instead that the observed behavior was intentional and that “no product changes were made.” CERT/CC, conversely, regards it as a legitimate defect.
The case illustrates a tension between security researchers and vendors: while Microsoft contests the technical substance of the report, documented evidence of silent patching exists, and an independent authority such as CERT/CC confirms the legitimacy of the disclosure. For cloud administrators operating Azure Backup for AKS, the situation remains unclear: without a CVE record, the scope of the incident is difficult to assess, yet the available evidence points to a genuine privilege escalation vulnerability.
Source: ainews-dev.lumi-systems.io · Published May 17, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrasing and classification by Lumi News Pipeline v1.5.2.