CVE-2026-33117 CRITICAL

CVE-2026-33117: Azure SDK for Java Security Feature Bypass Vulnerability

Vendor Microsoft

Product Azure SDK for Java

Weakness CWE-287 · Improper authentication

Published May 12, 2026

Last update June 9, 2026

View on NVD All CVEs

CVSS base score

9.1/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C

What the vulnerability does

Description

The Java Key Vault Keys library in the Azure SDK for Java contains an issue in the local cryptographic verification path where authentication tag comparison was implemented incorrectly. In affected applications that use the vulnerable local cryptography path, specially crafted encrypted input may bypass integrity verification checks. Operations delegated to the Key Vault service are not affected. The issue is addressed in version 4.10.6.

Key dates

Disclosure timeline

May 12, 2026 CVE published

June 9, 2026 Record updated