CVE-2026-33117

CRITICAL

Azure SDK for Java Security Feature Bypass Vulnerability

Title source: cna
STIX 2.1

Description

The Java Key Vault Keys library in the Azure SDK for Java contains an issue in the local cryptographic verification path where authentication tag comparison was implemented incorrectly. In affected applications that use the vulnerable local cryptography path, specially crafted encrypted input may bypass integrity verification checks. Operations delegated to the Key Vault service are not affected. The issue is addressed in version 4.10.6.

References (1)

Core 1
Core References
Vendor Advisory vendor-advisory patch
Azure SDK for Java Security Feature Bypass Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33117

Scores

CVSS v3 9.1
EPSS 0.0048
EPSS Percentile 38.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-287 CWE-347
Status published
Products (3)
com.azure/azure-security-keyvault-keys 0 - 4.10.6Maven
Microsoft/Azure SDK for Java 1.0.0 - 4.10.6
microsoft/azure_sdk_for_java < 4.10.6
Published May 12, 2026
Tracked Since May 12, 2026