CVE-2026-57969 is an Azure CycleCloud elevation of privilege vulnerability caused by missing authentication for a critical function. Microsoft rates it High severity with a CVSS v3.1 base score of 8.8 and temporal score of 7.7. The vector is network-based, low complexity, requires low privileges, and no user interaction, with high confidentiality, integrity, and availability impact. Microsoft says it is not publicly disclosed and not exploited, and exploit code maturity is unproven. For enterprise environments, this is relevant because it affects a network-reachable management service and can let an authenticated user with limited role access take over another user’s cluster. Highlights: - CVSS scores: Base 8.8 - Temporal 7.7 - Exploit status & code maturity: Publicly Disclosed: No; Exploited: No; Exploit Code Maturity: UNPROVEN. - Impact: Elevation of Privilege with HIGH confidentiality, HIGH integrity, and HIGH availability impacts. - Exploitation likelihood: Not stated as “Exploitation More Likely” in the source data; vector context is NETWORK, LOW attack complexity, LOW privileges required, and NO user interaction. - Severity for enterprise: High. Network-exposed Azure CycleCloud instances are higher risk because exploitation can be carried out remotely by an authenticated low-privilege user and can lead to cluster takeover. - Patch status: available Affected systems: - Azure CycleCloud