Azure SRE Agent flaw lets outsiders silently eavesdrop on enterprise cloud operations
Summary
Microsoft's Azure SRE Agent had a critical authentication flaw (CVE-2026-32173, CVSS score 8.6, a 0-10 rating of severity) that allowed unauthorized attackers to eavesdrop on sensitive agent activity over the network without proper credentials. The vulnerability existed because the service's token validation (a credential check) accepted tokens from any tenant organization and never verified if the attacker actually belonged to the target organization, exposing user prompts, agent responses, executed commands, and credentials.
Solution / Mitigation
Microsoft has fixed the issue server-side, and no customer action is required according to Microsoft's advisory.
Classification
Affected Vendors
Related Issues
CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive
CVE-2025-54868: LibreChat is a ChatGPT clone with additional features. In versions 0.0.6 through 0.7.7-rc1, an exposed testing endpoint
Original source: https://www.csoonline.com/article/4161389/azure-sre-agent-flaw-let-outsiders-silently-eavesdrop-on-enterprise-cloud-operations.html
First tracked: April 21, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 95%