CVE-2026-58279: Azure CycleCloud Elevation of Privilege Vulnerability

Overview

Severity
Medium (CVSS 6.5)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C
Category
Elevation of Privilege
Exploit Status
Not Exploited
Exploitation Likelihood
Less Likely
Patch Tuesday
2026-Jul
Released
2026-07-14

Description

Missing authorization in Azure CycleCloud allows an authorized attacker to elevate privileges over a network.

FAQ

What do I need to do to protect myself? Customers should update to Azure CycleCloud 8.9.1 (Build 8.9.1-3806), which includes the fix for this vulnerability. New installations and upgrades to an existing CycleCloud deployment will receive the updated packages containing the fix. For installation and upgrade guidance, see: Install CycleCloud Upgrade an existing CycleCloud installation Updated packages are available through Microsoft's package repositories and the Azure Marketplace image for CycleCloud 8.9.1. What privileges could be gained by an attacker who successfully exploited the vulnerability? A low-privilege attacker who successfully exploits the vulnerability could potentially elevate their privileges to perform unauthorized modification of another user's cluster. According to the CVSS metrics, successful exploitation of this vulnerability could lead to no loss of confidentiality (C:N) and availability (A:L), but could lead to major loss of integrity (I:H). What does that mean for this vulnerability? An attacker who successfully exploited this vulnerability could gain the ability to modify another user's cluster without authorization. It does not lead to information disclosure or service downtime.

Affected Products (1)

Azure

  • Azure CycleCloud 8.9.1

Security Updates (3)

Acknowledgments

XBREACH.AI TEAM with https://xbreach.ai/

Revision History

  • 2026-07-14: Information published.