What happened
Any Entra ID account from any tenant connects to /agentHub and receives broadcast of all live agent activity including commands and credentials
2026-05-04
HighPrimaryAzure SRE Agent exposed live command streams to any Entra ID account via unauthenticated WebSocket
CVE-2026-32173 (CVSS 8.6) in Azure SRE Agent let any Entra ID account access live command streams, internal reasoning traces, and deployment credentials via a multi-tenant WebSocket hub with no tenant isolation.
Microsoft Azure SRE AgentCredential exposureUnauthenticated multi-tenant WebSocket exposes live agent command streams and credentialsAzure SRE Agent /agentHub WebSocket endpoint (all tenants at GA launch, March 10, 2026)
Why it matters
Passive disclosure of live command streams, internal reasoning traces, deployment credentials, and infrastructure context — exploitable with only the target's subdomain and ~15 lines of Python; no trace left on victim infrastructure
Missing authorization check
Per-connection tenant isolation check verifying the caller belongs to the target tenant and holds an explicit role on the target Azure SRE Agent resource
Would PP block it?
PP enforces that agent actions against named resources require a receipt signed by an authorized principal within the correct organizational scope. An attacker eavesdropping on the WebSocket would observe commands and credentials but would not be able to generate a valid PP receipt for the target tenant, limiting their ability to replay or escalate those credentials through PP-gated systems. The root fix requires Microsoft's server-side patch, not a PP gate.
Incident analysis
Timeline and technical read
Timeline
2026-03-10
Azure SRE Agent reaches general availability — vulnerability present at launch.
2026-05-04
Enclave AI researcher Yanir Tsarimi discovers and reports CVE-2026-32173 (CVSS 8.6).
2026-05-04
Microsoft applies server-side patch; no customer action required per advisory.
2026-05-07
CSO Online and security outlets publish full disclosure; Adversa AI covers in May 2026 roundup.
Technical breakdown
- The /agentHub SignalR WebSocket endpoint accepted any valid Entra ID token because the underlying app registration was configured as multi-tenant.
- Token validation checked: Is the token valid? Is the audience correct? It never asked: Does this caller belong to the target tenant? Do they have a role on this resource?
- Once connected, the hub broadcast all agent events to all clients with no identity filtering — fully open to any connected account.
- Exposed data included user prompts, agent reasoning traces, every command with full arguments, command output, and deployment credentials appearing during troubleshooting.
- The target agent's subdomain was predictable and enumerable; exploitation required only ~15 lines of Python and left no trace on the victim's infrastructure.
Authorization boundary
Where the authorization boundary should have been
This incident is categorized as Credential exposure. The relevant Permission Protocol gate is Credential Gate. The read is conditional: the block only applies where the real action boundary is routed through a gate.
- If enforced at
- Infrastructure authentication layer / Azure SRE Agent gateway
- Still needs
- PP does not validate WebSocket connection-level authentication at the Azure infrastructure layer
- Receipt required for
- Any cross-tenant access to agent activity streams; any agent action that exposes deployment credentials or infrastructure state
PP's identity scoping model would flag agent actions carried out without a valid tenant-bound authority receipt. It would not prevent the WebSocket eavesdropping itself, which is an infrastructure authentication gap.
Start small
Put the relevant gate at this action boundary.
This incident maps to Credential Gate. Start with the boundary that controls the actual action, then require a signed receipt before execution.