We’ve disclosed CVE-2026-26117 affecting Azure Arc on Windows: a high severity local privilege escalation that can also be used to take over the machine’s cloud identity.

In practical terms, this means a low-privileged user on an Arc-joined Windows host may be able to escalate to higher privileges and then abuse the Arc identity context to pivot into Azure.

If you’re running Azure Arc–joined Windows machines and your Arc Agent services are below v1.61, assume you’re impacted update to v1.61.

Found a new Azure vulnerability -

CVE-2026-2096, a high-severity flaw in the Azure SSO implementation of Windows Admin Center that allows a local administrator on a single machine to break out of the VM and achieve tenant-wide remote code execution.