CVE-2026-35438 Overview
CVE-2026-35438 is a missing authorization vulnerability in Microsoft Windows Admin Center. The flaw allows an authenticated attacker with low privileges to elevate privileges over a network. Microsoft published the advisory on May 12, 2026, and the issue is tracked under CWE-862: Missing Authorization.
The vulnerability carries a CVSS 3.1 base score of 8.3. Exploitation does not require user interaction and the attack vector is network-based. A successful attacker gains high impact on integrity and availability and limited impact on confidentiality.
Critical Impact
An authenticated network attacker can escalate privileges within Windows Admin Center, gaining administrative control over managed Windows servers and endpoints.
Affected Products
- Microsoft Windows Admin Center (see the Microsoft Security Update Guide for affected builds)
- Windows Server instances managed through Windows Admin Center
- Windows client systems administered via Windows Admin Center gateway
Discovery Timeline
- 2026-05-12 - CVE-2026-35438 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-35438
Vulnerability Analysis
The vulnerability stems from missing authorization checks within Windows Admin Center. Windows Admin Center is a browser-based management tool that proxies administrative operations to managed Windows servers and endpoints. When the gateway processes certain requests, it fails to enforce authorization controls that confirm the caller is permitted to perform the requested action.
An attacker with a valid low-privileged account on the Windows Admin Center gateway can invoke privileged operations reserved for administrators. Because the gateway runs with elevated rights against managed nodes, the attacker inherits the ability to change configuration, manipulate services, or alter accounts on those nodes.
The Exploit Prediction Scoring System (EPSS) currently rates exploitation likelihood at the lower end. No public proof-of-concept exploit and no in-the-wild exploitation have been confirmed at the time of publication.
Root Cause
The root cause is an authorization gap classified as [CWE-862]. The application authenticates the requesting user but does not verify that the user holds the role required for the targeted operation. Authorization decisions are either skipped or evaluated against an incorrect resource scope before the privileged action executes.
Attack Vector
Exploitation requires network access to the Windows Admin Center gateway and valid credentials for a low-privileged account. The attacker sends a crafted request to an administrative endpoint that fails to validate authorization. The gateway then performs the operation on a managed node using its elevated service identity, completing the privilege escalation.
No verified exploitation code is available in public sources. Refer to the Microsoft Security Update Guide entry for CVE-2026-35438 for vendor-supplied technical details.
Detection Methods for CVE-2026-35438
Indicators of Compromise
- Unexpected administrative actions on managed nodes initiated through the Windows Admin Center gateway by accounts that lack administrative roles.
- Creation or modification of local administrators, services, or scheduled tasks on managed servers shortly after Windows Admin Center sessions from non-admin users.
- Authentication events on the Windows Admin Center gateway from low-privileged accounts followed by privileged operations within the same session.
Detection Strategies
- Correlate Windows Admin Center gateway logs with Windows Security event logs on managed nodes to identify privileged operations attributed to non-administrative users.
- Alert on role mismatches between the authenticated principal in Windows Admin Center and the privilege level required by the invoked action.
- Use endpoint behavioral identification to flag unusual administrative actions following Windows Admin Center sessions, such as new local admin creation or service binary replacement.
Monitoring Recommendations
- Forward Windows Admin Center gateway logs and managed-node Security and System event logs to a central SIEM for correlation.
- Track event IDs related to privileged group membership changes (4728, 4732, 4756) and service installations (7045) on hosts managed by Windows Admin Center.
- Review Windows Admin Center role assignments on a recurring schedule and alert on unexpected changes to gateway role configuration.
How to Mitigate CVE-2026-35438
Immediate Actions Required
- Apply the Microsoft security update referenced in the Microsoft Security Update Guide for CVE-2026-35438 on all Windows Admin Center gateways.
- Restrict access to Windows Admin Center gateways to administrative networks and named users only.
- Audit Windows Admin Center role assignments and remove unnecessary low-privileged accounts that retain gateway access.
Patch Information
Microsoft has released a security update addressing CVE-2026-35438. Administrators should consult the Microsoft Security Update Guide for the specific Windows Admin Center build numbers and download locations, then deploy the update to every gateway instance in the environment.
Workarounds
- Limit Windows Admin Center gateway exposure to a hardened management subnet protected by host-based or network firewalls.
- Require multi-factor authentication and conditional access for all accounts that can reach the Windows Admin Center gateway.
- Reduce the number of accounts with any role on the Windows Admin Center gateway until the patch is applied across the environment.
# Restrict inbound access to the Windows Admin Center gateway (default TCP/443)
# Replace the source range with your administrative subnet
New-NetFirewallRule -DisplayName "WAC-Admin-Only" `
-Direction Inbound `
-Protocol TCP `
-LocalPort 443 `
-RemoteAddress 10.10.0.0/24 `
-Action Allow
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
