Microsoft disclosed CVE-2026-41105 on May 7, 2026, a server-side request forgery flaw in the Azure Monitor Action Group notification system that allows an authenticated attacker to elevate privileges over the network (CVSS 8.1). No in-the-wild exploitation has been reported, and Microsoft has addressed the issue server-side per the MSRC advisory. Concurrently, Microsoft published CVE-2026-35428, a critical command-injection/spoofing vulnerability in Azure Cloud Shell that could permit arbitrary code execution within a victim's session and potential takeover of Azure subscriptions; mitigations were rolled out server-side with no customer action required. Both issues were included in Microsoft's May 2026 security update cycle. Azure customers should review MSRC guidance and audit Action Group and Cloud Shell usage for anomalous activity.
- CVE Alert: CVE-2026-41105 - Microsoft - Azure Monitor Action Gro(opens in a new tab)
- CVE-2026-35428: Azure Cloud Shell Critical Spoofing Fix—No Patch(opens in a new tab)
- CVE-2026-41105 and Azure Monitor Action Groups: When alerts beco(opens in a new tab)
- Microsoft security update summary's for May 2026 | OpenText Cyb(opens in a new tab)
- Windows 11 security update fixes critical Bing and Azure flaws(opens in a new tab)
- CVE-2026-43321: Linux BPF Verifier Register Liveness Bug Exposes(opens in a new tab)