CVE-2026-26147 Overview
CVE-2026-26147 is an information disclosure vulnerability in Azure Compute Gallery affecting Microsoft Azure Stack HCI. The flaw stems from improper input validation [CWE-20], allowing an authorized attacker to disclose sensitive information over a network. Microsoft published the advisory through the Microsoft Security Response Center (MSRC).
The vulnerability requires low privileges and no user interaction. It carries a scope change, meaning successful exploitation can impact resources beyond the vulnerable component. Confidentiality impact is rated high, while integrity and availability are not affected.
Critical Impact
An authenticated attacker with low privileges can exploit improper input validation in Azure Compute Gallery to read sensitive information across trust boundaries within Azure Stack HCI environments.
Affected Products
- Microsoft Azure Stack HCI
- Azure Compute Gallery component
- Deployments referencing cpe:2.3:a:microsoft:azure_stack_hci
Discovery Timeline
- 2026-05-22 - CVE-2026-26147 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-26147
Vulnerability Analysis
The vulnerability resides in the Azure Compute Gallery service used by Azure Stack HCI to manage and distribute virtual machine images, application definitions, and related artifacts. Improper input validation [CWE-20] in request handling permits an authorized caller to submit crafted input that the service processes without adequate sanitization. The resulting behavior exposes data the caller should not be able to read.
Because the CVSS scope is changed, the disclosure crosses a security boundary. An attacker operating within one authorization context can retrieve information belonging to a different context managed by the same gallery service. This pattern is consistent with multi-tenant or shared-resource cloud services where input parsing dictates which records are returned.
Root Cause
The root cause is missing or insufficient validation of attacker-controlled input within Azure Compute Gallery request processing. When validation logic fails to constrain identifiers, filters, or query parameters, the service returns data outside the caller's intended scope. Microsoft has not published implementation specifics, and no public proof-of-concept exists.
Attack Vector
The attack vector is network-based. An attacker must hold valid credentials with low privileges in the target Azure Stack HCI environment. Exploitation does not require user interaction or social engineering. Once authenticated, the attacker sends crafted requests to the Azure Compute Gallery API and parses responses for disclosed material such as image metadata, configuration details, or other gallery-managed information.
No exploit code is publicly available. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, and the EPSS score reflects a low predicted likelihood of exploitation in the near term.
Detection Methods for CVE-2026-26147
Indicators of Compromise
- Unexpected Azure Compute Gallery API calls originating from low-privilege service principals or user accounts
- Repeated GET operations against gallery image, version, or application resources outside the caller's normal scope
- Anomalous enumeration patterns against Microsoft.Compute/galleries resource providers in Azure activity logs
Detection Strategies
- Review Azure Activity Logs and Azure Resource Manager audit trails for gallery read operations performed by accounts that do not typically access those resources
- Correlate Microsoft Entra ID sign-in events with subsequent gallery queries to identify suspicious session activity
- Baseline expected gallery access per role and alert on deviations such as cross-subscription or cross-resource-group reads
Monitoring Recommendations
- Enable diagnostic settings on Azure Compute Gallery resources and forward logs to a central SIEM for retention and analysis
- Monitor authorization failures and partial-success responses from gallery endpoints that may indicate probing
- Track service principal and managed identity behavior for unusual gallery API consumption volumes
How to Mitigate CVE-2026-26147
Immediate Actions Required
- Apply the security update referenced in the Microsoft CVE-2026-26147 Advisory as soon as it is available for your Azure Stack HCI deployment
- Audit role assignments on Azure Compute Gallery resources and remove unnecessary read or contributor permissions
- Rotate credentials and review access tokens for accounts that interact with gallery resources
Patch Information
Microsoft has published guidance through the Microsoft CVE-2026-26147 Advisory. Administrators should consult the advisory for build numbers, update channels, and applicability to specific Azure Stack HCI versions. Apply patches through standard Azure Stack HCI update workflows.
Workarounds
- Enforce least-privilege RBAC on Microsoft.Compute/galleries resources, granting only the minimum role required for each principal
- Restrict network access to management endpoints using Azure Private Link, service endpoints, or firewall rules where supported
- Require conditional access policies and multi-factor authentication for any identity that can call gallery APIs
# Configuration example: review role assignments on a Compute Gallery resource
az role assignment list \
--scope "/subscriptions/<sub-id>/resourceGroups/<rg>/providers/Microsoft.Compute/galleries/<gallery>" \
--output table
# Remove an unnecessary assignment
az role assignment delete \
--assignee <principal-id> \
--role "Reader" \
--scope "/subscriptions/<sub-id>/resourceGroups/<rg>/providers/Microsoft.Compute/galleries/<gallery>"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
