Microsoft Silently Patches Critical Azure AKS Privilege Escalation Flaw After Disputing Researcher’s Report
Security researcher Justin O’Leary disclosed a critical privilege escalation vulnerability in Microsoft Azure Backup for AKS, which allowed attackers with the low-privileged "Backup Contributor" role to gain cluster-admin access without any prior Kubernetes permissions. The flaw, discovered in March 2026, was reported to Microsoft on March 17, but the company rejected it on April 13, arguing the issue required pre-existing administrative access a claim O’Leary called "factually incorrect."
Microsoft’s Security Response Center (MSRC) further dismissed the report as "AI-generated content" when escalating to MITRE for a CVE assignment, despite the researcher’s technical evidence. The CERT Coordination Center (CERT/CC) independently validated the vulnerability on April 16, assigning it VU#284781 and scheduling public disclosure for June 1, 2026. However, Microsoft intervened on May 4, convincing MITRE to block the CVE, citing the same disputed pre-existing access requirement. Under CNA (CVE Numbering Authority) hierarchy rules, Microsoft itself a CNA retained final authority, and the case was closed without a CVE.
How the Attack Worked
The vulnerability stemmed from Azure Backup for AKS’s Trusted Access mechanism, which automatically granted cluster-admin privileges to backup extensions. An attacker with only Backup Contributor permissions on a backup vault could enable backup on a target AKS cluster, triggering Azure to configure Trusted Access with full admin rights. This allowed the attacker to extract secrets or restore malicious workloads into the cluster. O’Leary classified it as a Confused Deputy vulnerability (CWE-441), where Azure and Kubernetes RBAC trust boundaries were improperly enforced.
Microsoft Denies Patch, But Evidence Suggests Otherwise
Microsoft maintained that the behavior was "expected" and that "no product changes were made." However, O’Leary observed that the original exploit path no longer works, with new error messages such as "UserErrorTrustedAccessGatewayReturnedForbidden" indicating that Trusted Access must now be manually configured before enabling backups. Additional permission checks were also introduced, requiring the vault’s Managed Identity (MSI) to have Reader access on the AKS cluster and snapshot resource group, while the AKS cluster MSI now needs Contributor permissions on the snapshot resource group.
Impact and Lack of Transparency
Without a CVE or public advisory, organizations that granted Backup Contributor permissions between an unknown start date and May 2026 remain unaware of their exposure. The silent patch leaves defenders without a clear remediation timeline or visibility into the risk window, raising concerns about vendor accountability in vulnerability disclosure. The case underscores ongoing tensions between researchers and major vendors over severity assessments, CVE assignments, and disclosure practices, particularly as AI-assisted reports strain bug bounty programs.
Microsoft has not issued any official guidance on the fix, leaving affected users without formal notification.
Microsoft Security Response Center cybersecurity rating report: https://www.rankiteo.com/company/microsoft-security-response-center
"id": "MIC1778970243",
"linkid": "microsoft-security-response-center",
"type": "Vulnerability",
"date": "3/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Organizations using Azure '
'Backup for AKS with Backup '
'Contributor permissions granted',
'industry': 'Technology/Cloud Computing',
'location': 'Global',
'name': 'Microsoft Azure',
'size': 'Enterprise',
'type': 'Cloud Service Provider'}],
'attack_vector': 'Misconfigured Trusted Access in Azure Backup for AKS',
'data_breach': {'data_exfiltration': 'Possible via malicious workload '
'restoration',
'sensitivity_of_data': 'High (cluster-admin access)',
'type_of_data_compromised': 'Cluster secrets, workload '
'configurations'},
'date_detected': '2026-03',
'date_publicly_disclosed': '2026-06-01',
'date_resolved': '2026-05',
'description': 'Security researcher Justin O’Leary disclosed a critical '
'privilege escalation vulnerability in Microsoft Azure Backup '
"for AKS, allowing attackers with the low-privileged 'Backup "
"Contributor' role to gain cluster-admin access without prior "
'Kubernetes permissions. Microsoft initially rejected the '
"report, dismissed it as 'AI-generated content,' and blocked a "
'CVE assignment despite independent validation by CERT/CC. The '
'vulnerability was silently patched in May 2026, but Microsoft '
'has not issued public advisories or transparency about the '
'fix.',
'impact': {'brand_reputation_impact': 'Vendor accountability concerns, lack '
'of transparency',
'data_compromised': 'Secrets extraction, malicious workload '
'restoration',
'operational_impact': 'Unauthorized cluster-admin access, '
'potential lateral movement',
'systems_affected': 'Azure Kubernetes Service (AKS) with Azure '
'Backup enabled'},
'investigation_status': 'Closed without CVE assignment',
'lessons_learned': 'Vendor accountability in vulnerability disclosure, '
'tensions between researchers and major vendors over '
'severity assessments and CVE assignments, risks of silent '
'patches without public advisories',
'post_incident_analysis': {'corrective_actions': 'Silent patch requiring '
'manual Trusted Access '
'configuration, additional '
'permission checks for MSI '
'roles',
'root_causes': 'Misconfigured Trusted Access in '
'Azure Backup for AKS, improper '
'enforcement of Kubernetes RBAC '
'trust boundaries'},
'recommendations': 'Review and audit Backup Contributor permissions in Azure '
'AKS, manually verify Trusted Access configurations, '
'monitor for unauthorized cluster-admin access, advocate '
'for transparent vulnerability disclosure practices',
'references': [{'source': 'CERT/CC'},
{'source': 'Justin O’Leary’s Disclosure'}],
'response': {'communication_strategy': 'No public advisory issued',
'containment_measures': 'Silent patch introducing manual Trusted '
'Access configuration and additional '
'permission checks',
'remediation_measures': 'Required vault’s Managed Identity (MSI) '
'to have Reader access on AKS cluster '
'and snapshot resource group; AKS '
'cluster MSI now needs Contributor '
'permissions on snapshot resource group',
'third_party_assistance': 'CERT/CC validation'},
'title': 'Microsoft Silently Patches Critical Azure AKS Privilege Escalation '
'Flaw After Disputing Researcher’s Report',
'type': 'Privilege Escalation',
'vulnerability_exploited': 'Confused Deputy (CWE-441)'}