Security researcher Justin O'Leary publicly disclosed a privilege escalation flaw in Azure Backup for AKS that allowed a user holding only the low-privileged Backup Contributor role on a backup vault to obtain cluster-admin access on a target AKS cluster by abusing the Trusted Access relationship that Azure Backup automatically configured. The attack, classified as a Confused Deputy issue (CWE-441) between Azure RBAC and Kubernetes RBAC, let an attacker enable backup on a cluster, extract secrets through backup operations, or restore malicious workloads. Microsoft Security Response Center rejected the March 17, 2026 report as expected behavior requiring pre-existing admin access and recommended against CVE assignment, and CERT/CC subsequently closed its VU#284781 case under CNA hierarchy rules. The researcher reports that the original exploit path no longer works as of May 2026, with new permission checks and a requirement to manually configure Trusted Access before enabling backup, indicating a silent patch despite Microsoft stating no product changes were made. No CVE, advisory, or customer notification has been issued, leaving defenders without visibility into the exposure window for tenants that granted the Backup Contributor role before May 2026.
// Alert
Microsoft Azure threat report
// Microsoft AzureMEDIUM
// Get alerts for Microsoft Azure