CVE-2026-57969: Azure CycleCloud Elevation of Privilege Vulnerability

Overview

Severity
High (CVSS 8.8)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Category
Elevation of Privilege
Exploit Status
Not Exploited
Patch Tuesday
2026-Jul
Released
2026-07-14

Description

Missing authentication for critical function in Azure CycleCloud allows an authorized attacker to elevate privileges over a network.

FAQ

How could an attacker exploit this vulnerability? An authenticated user who has the Cluster Creator role could exploit this vulnerability by using a cluster creation operation in a way that bypasses an authorization check. By doing so, the attacker could overwrite another user’s cluster, including a cluster owned by an administrator, and take ownership of it. What privileges could be gained by an attacker who successfully exploited the vulnerability? An attacker who successfully exploited this vulnerability could gain full control of the affected cluster that was overwritten and taken over. This could allow the attacker to run unauthorized code, remove or alter credentials associated with the cluster, and perform actions with the same level of access available within that cluster. What do I need to do to protect myself? Customers should update to Azure CycleCloud 8.9.1 (Build 8.9.1-3806), which includes the fix for this vulnerability. New installations and upgrades to an existing CycleCloud deployment will receive the updated packages containing the fix. For installation and upgrade guidance, see: Install CycleCloud Upgrade an existing CycleCloud installation Updated packages are available through Microsoft's package repositories and the Azure Marketplace image for CycleCloud 8.9.1.

Affected Products (1)

Azure

  • Azure CycleCloud 8.9.1

Security Updates (3)

Acknowledgments

<a href="https://www.linkedin.com/in/asaf-cohen-4103b75b/">Asaf Cohen</a> with <a href="https://xbreach.ai/">XBreach.ai</a>, XBREACH.AI TEAM with https://xbreach.ai/, XBREACH.AI TEAM with https://xbreach.ai/

Revision History

  • 2026-07-14: Information published.