CVE-2026-40379

Daily digests

Azure Entra ID (formerly Azure AD) leaks sensitive information to unauthenticated attackers, enabling spoofing over the network. CVSS 9.3. The practical risk: an attacker could impersonate identities or forge tokens in your tenant. This is an identity-plane bug, which makes it dangerous even if your apps are otherwise well-configured.

• Patch Tuesday · May 13, 2026

  Patch Tuesday May 2026: DNS + Netlogon at 9.8, 19 more