How is CVE-2026-48567 exploited?

Network reachability (required): The attacker must reach the Azure HorizonDB service over a network; there is no requirement for local or physical access. Authentication (not-required): No credentials of any privilege level are needed; the vulnerability is exploitable by an entirely unauthenticated attacker. Victim interaction (not-required): No user action, click, or social-engineering step is required to trigger the vulnerability. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

What is the impact of CVE-2026-48567?

The attacker gains elevated privileges within HorizonDB without holding any prior account, bypassing all normal access controls. Due to the changed scope (S:C), the attacker can affect components and data stores outside HorizonDB itself, not just the directly targeted service. Integrity impact is high: the attacker can modify, overwrite, or delete persisted data managed by HorizonDB. Availability impact is high: the attacker can crash or render the HorizonDB service unresponsive, disrupting dependent workloads.

Back to search

CRITICALCVE-2026-48567Published 2026-06-04Modified 2026-06-04CNA microsoft

CVE-2026-48567: Azure HorizonDB Elevation of Privilege Vulnerability

Authentication bypass by spoofing in Azure HorizonDB allows an unauthorized attacker to elevate privileges over a network.

CVSS v3.1: 10.0
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Authentication bypass by spoofing in Azure HorizonDB allows an unauthenticated remote attacker to elevate privileges without any user interaction. The vulnerability is reachable over the network, requires no prior credentials, and carries a CVSS 10.0 critical score with a changed scope, meaning exploitation can affect components beyond HorizonDB itself. Successful exploitation gives the attacker the ability to tamper with data and disrupt service availability at high severity. HarborGuard is tracking the advisory and will make a patched-image rebuild available the moment Microsoft publishes a fix.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Azure HorizonDB components. Any image found running an affected version is flagged immediately in the customer's pipeline dashboard.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 10.0 critical and weighting it against each customer organization's compliance policy to determine urgency and routing. The resulting alert is directed to the appropriate team inbox within each customer environment based on configured ownership rules.

Available

Patch

No fix version has been published by Microsoft for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be initiated without manual intervention once a fix version exists.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Azure HorizonDB service over a network; there is no requirement for local or physical access.
AuthenticationNot required
No credentials of any privilege level are needed; the vulnerability is exploitable by an entirely unauthenticated attacker.
Victim interactionNot required
No user action, click, or social-engineering step is required to trigger the vulnerability.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

Blast Radius

The attacker gains elevated privileges within HorizonDB without holding any prior account, bypassing all normal access controls.
Due to the changed scope (S:C), the attacker can affect components and data stores outside HorizonDB itself, not just the directly targeted service.
Integrity impact is high: the attacker can modify, overwrite, or delete persisted data managed by HorizonDB.
Availability impact is high: the attacker can crash or render the HorizonDB service unresponsive, disrupting dependent workloads.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists yet, HarborGuard continuously re-checks the Microsoft advisory on every ingest cycle and will surface a patched-image rebuild the moment a fix version is published. In the interim, customers can apply compensating controls through HarborGuard's policy engine: network-policy isolation rules that restrict inbound access to HorizonDB endpoints to known internal CIDRs only, egress filtering to limit lateral movement if a container is compromised, and feature-flag gating to disable exposed HorizonDB interfaces where the feature is not operationally required. Given the CVSS 10.0 critical rating and no authentication barrier, these compensating controls are strongly recommended until an official patch is available. Where compliance policy permits, auto-remediation will trigger the full rebuild, regression-test, and PR flow automatically once Microsoft ships a fix, with no manual steps required from the customer team.

See how HarborGuard automates this

Affected packages

Microsoft / Azure HorizonDB
-

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H/E:U/RL:O/RC:C

References

Azure HorizonDB Elevation of Privilege Vulnerability

Metrics

Get notified