CVE-2026-26117 is a local privilege escalation vulnerability in the Azure Arc Connected Machine Agent that allows any user with local login access to a connected server to escalate their privileges to SYSTEM. The consequence is not just local system control — it is access to the server’s Azure managed identity, which can be weaponised to pivot directly into Azure resources and abuse whatever Azure RBAC permissions the machine identity holds. CVSS score: 7.8 (High). Patched in Azure Arc Agent v1.61, released March 2026.
Azure Arc and HIMDS: What’s at Stake
Azure Arc extends Azure management to on-premises servers, edge systems, and multi-cloud VMs. When a server has the Arc Connected Machine Agent installed, it can be managed through the Azure portal, assigned Azure Policy, and — critically — given a system-assigned managed identity. That identity can hold Azure RBAC roles: Reader, Contributor, or in misconfigured deployments, Owner-level permissions over Azure subscriptions.
The Hybrid Instance Metadata Service (HIMDS) is the local component that handles managed identity token issuance on Arc-connected servers. HIMDS runs as a local HTTP service that issues short-lived Azure AD tokens to processes running on the machine. The token endpoint is intentionally accessible only to SYSTEM-level processes — or so the design intended.
CVE-2026-26117 undermines that boundary.
The Vulnerability: Race Condition in Port Binding
During the Arc Agent startup sequence, HIMDS binds to its service port in a window that is vulnerable to a race condition. A low-privilege local process can win this race and bind to the target port before HIMDS does, positioning itself as a proxy or interceptor for HIMDS token requests from the agent itself.
The precise exploitation path documented in the security advisory involves:
- A non-privileged process monitors for the Arc Agent service startup sequence
- On restart or startup, the process competes for the port binding before HIMDS acquires it
- Once bound, the attacker process receives inbound HIMDS communication from other Arc Agent components
- Through the intercepted communication channel, the process can trigger actions that execute with SYSTEM privileges — including requesting managed identity tokens from the Azure token endpoint
The result is SYSTEM-level code execution on the local machine, plus access to the managed identity token that the HIMDS service would have issued to authorised callers.
From Local Escalation to Azure Pivot
The managed identity token obtained after privilege escalation is a short-lived Azure AD bearer token valid for the resources and roles assigned to the Arc-connected server’s identity. What an attacker can do with this token depends entirely on the RBAC configuration of that managed identity.
Common misconfigured scenarios that create high-impact exploitation paths:
Reader/Contributor on the subscription. Many organisations grant Arc-connected servers broad read access to Azure resources for monitoring and compliance purposes. A Reader token lets an attacker enumerate all resources in the subscription — storage accounts, key vaults, databases, application configurations. Contributor access allows resource creation and modification.
Key Vault access. If the managed identity has Get/List access to Azure Key Vault, the attacker can extract secrets, certificates, and keys stored there. This is common in automation scenarios where on-premises servers need to retrieve credentials stored in Key Vault.
Storage account access. Storage Blob Data Reader or Contributor access to storage accounts allows data exfiltration from Azure Blob Storage — backup data, logs, application data, and any blobs the managed identity can reach.
Lateral movement to other Azure Arc servers. If the compromised server’s managed identity has access to other Arc-connected servers — through Azure Automation, Azure Policy, or shared resource groups — the token can be used to chain further access.
Attack Prerequisites and Reachability
CVE-2026-26117 requires local access to an Arc-connected server. This means the vulnerability is not directly exploitable over the internet — but “local access” in enterprise environments covers a broad range of attack scenarios:
- Ransomware affiliates who have already achieved initial access to an endpoint and are enumerating privilege escalation paths
- Insider threat scenarios where a low-privilege user on a server discovers the vulnerability
- RDP or VDI environments where multiple users share access to Arc-connected jump servers
- Compromised build servers or CI/CD agents that run as non-privileged service accounts but have network access to Arc-connected infrastructure hosts
In each of these scenarios, CVE-2026-26117 converts a local compromise into an Azure cloud identity compromise, potentially bypassing all perimeter and network controls protecting Azure resources.
Affected Versions and Patch Status
CVE-2026-26117 affects Azure Arc Connected Machine Agent versions prior to v1.61. The patch was released in March 2026 and changes the HIMDS port binding sequence to eliminate the exploitable race window, while also adding an integrity check that prevents non-SYSTEM processes from intercepting the HIMDS communication channel.
Verify your Arc Agent version:
# Check Arc Agent version on Windows
(Get-Item "C:\Program Files\AzureConnectedMachineAgent\azcmagent.exe").VersionInfo.FileVersion
# Or via Azure portal: Azure Arc > Servers > [server name] > Properties > Agent version
Update command:
# Windows: Update via Windows Update or manual download from aka.ms/AzureArcAgent
# Linux:
sudo apt-get update && sudo apt-get install --only-upgrade azcmagent
# or
sudo yum update azcmagent
Detection
Signs of CVE-2026-26117 exploitation on a connected server:
- Unexpected process binding to the HIMDS port during Arc Agent startup — monitor for processes other than
himds.exeorazcmagent.exeacquiring the HIMDS service port - HIMDS token requests originating from processes that are not part of the Arc Agent (look for unusual processes making HTTP calls to
localhoston the HIMDS port) - Azure AD token issuance events for the server’s managed identity at unusual times or followed by unexpected Azure resource access (review Entra ID sign-in logs filtered to managed identity activity)
- Lateral movement from the server into Azure using the managed identity — Azure Activity Log entries for the server’s service principal performing resource enumeration or access that is inconsistent with the server’s role
Microsoft Defender for Cloud generates an alert for managed identity token abuse under the category “Suspicious use of managed identity token,” which should be reviewed in the context of CVE-2026-26117 exploitation.
Broader Context: Arc as an Expanding Attack Surface
Azure Arc has become a common component of hybrid cloud deployments, with Microsoft reporting tens of thousands of organisations using Arc to connect on-premises servers to Azure management. As Arc adoption has grown, so has attacker interest in Arc-specific attack paths.
CVE-2026-26117 follows a pattern documented in other Arc and managed identity vulnerabilities: the attack value of a managed identity compromise is determined entirely by the permissions attached to that identity, not by the vulnerability used to access it. Security teams that apply least-privilege to Arc managed identities limit the blast radius of any compromise; teams that have granted broad Azure RBAC to connected servers for operational convenience have created disproportionate risk.
A direct audit of every Arc-connected server’s managed identity and its Azure RBAC assignments is a useful remediation step alongside patching — the patch closes the escalation path, but reviewing whether the escalation target (the managed identity permissions) is appropriately scoped is the more durable security improvement.