Azure HorizonDB Authentication Bypass (CVE-2026-48567): CVSS 10.0 — Maximum Severity in Microsoft Azure Database Service

nick

Azure HorizonDB Authentication Bypass (CVE-2026-48567): CVSS 10.0 — Maximum Severity in Microsoft Azure Database Service

by

A maximum-severity authentication bypass vulnerability in Azure HorizonDB, tracked as CVE-2026-48567, allows an unauthenticated attacker to elevate privileges over a network. The vulnerability carries a CVSS score of 10.0 — the highest possible severity — and affects Microsoft’s Azure cloud database service.

What Is the Vulnerability?

CVE-2026-48567 is an authentication bypass by spoofing vulnerability in Azure HorizonDB. The flaw allows an unauthorised attacker to bypass authentication mechanisms and elevate privileges over a network without valid credentials. With a CVSS score of 10.0 — the maximum possible — the vulnerability has the most severe combination of attributes: network-exploitable, low attack complexity, no privileges required, no user interaction, and high impact across confidentiality, integrity, and availability.

Azure HorizonDB is a Microsoft Azure database service. As a cloud-managed service, the exact architecture and multi-tenancy implications depend on the deployment model. Microsoft assigning the maximum CVSS score signals that the impact is severe and the barrier to exploitation is minimal.

  • CVSS v3.1 Score: 10.0 (Critical) — maximum possible severity
  • CWE: CWE-290 (Authentication Bypass by Spoofing)
  • Attack Vector: Network (AV:N)
  • Privileges Required: None (PR:N)
  • User Interaction: None (UI:N)

Which Versions Are Affected?

Azure HorizonDB — specific versions and deployment details are available in the Microsoft Security Response Center advisory. As a cloud service, Microsoft may have already applied the fix to managed instances.

Is It Being Exploited in the Wild?

No active exploitation has been publicly confirmed at the time of writing. However, the CVSS 10.0 score — indicating trivial exploitability with maximum impact — makes this a high-priority item even without confirmed exploitation.

What Is the Fix?

Microsoft has released a security update. For Azure-managed HorizonDB instances, verify with Azure support that the service-side patch has been applied. The official advisory is at:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-48567

Recommendations

Verify patch status with Azure support. For Azure-managed HorizonDB instances, confirm that Microsoft has applied the service-side fix.

Audit database access logs. Review Azure audit logs and database access logs for unauthorised authentication events or unexpected privilege escalations during the vulnerable window.

Rotate database credentials. After confirming the patch is applied, rotate all HorizonDB credentials and access keys as a precaution.

References

This advisory was first covered in the broader Vulnerability Intelligence Report — June 5, 2026.

Threat Modeling and Security by Design

Threat modeling and Security by Design methods, tools, and approaches to help secure your business and IT landscape.

Terms of Service | Privacy Policy

AI chatbot & help center by 99helpers.com

Threat Modeling
Threat Modeling Tool
Threat Modeling Tool Explainer
What is Threat Modeling?
STRIDE Threat Modeling
PASTA Threat Modeling
Automated Threat Modeling
Threat Modeling Framework
CISO Security Mind Map 2026
CIS Controls
OWASP Top 10

© Threat-Modeling.com

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!