Imagine you hired an assistant who has access to everything: your servers, your logs, your passwords, your source code. Now imagine a total stranger, from a completely unrelated company, could silently listen to every conversation that assistant has. Watch every action they take. See every credential that came up. And no one inside your building would ever know.
That's what we found in Azure SRE Agent.
What Is Azure SRE Agent?
It's Microsoft's always-on AI operations platform, just released to general availability. You connect it to your Azure environment and it becomes a 24/7 ops partner -- watching for alerts, diagnosing outages, and executing fixes on your behalf: restarting services, scaling resources, rolling back deployments, running any Azure CLI command.
It has access to your source code, logs, metrics, infrastructure state, and incident platforms like PagerDuty and ServiceNow. Microsoft's own Azure App Service team cut their average incident resolution time from 40 hours to 3 minutes using it.
The Vulnerability
Azure SRE Agent streams all activity in real time through a WebSocket endpoint called /agentHub. Every message, every agent response, every internal reasoning step flows through it.
The endpoint requires a token to connect -- but the underlying app registration is configured as multi-tenant. That means any Azure AD account, from any company anywhere, can obtain a valid token. Microsoft's own auth infrastructure issues it freely.
The hub then checked:
Is the token valid? Yes.
Is the audience correct? Yes.
It never asked:
Does this caller belong to the target's tenant?
Are they authorized to use this agent?
Do they have any role on this resource?
Once connected, all events were broadcast to all clients with no identity filtering. You were in. You saw everything.
The Attack Left No Trace
The only record of the connection existed in the attacker's terminal.
Victim organizations had no way to detect it, no way to investigate after the fact, and no way to scope what had been exposed.
What We Could See
Every message a user sent to the agent. Every response the agent gave back. The agent's internal reasoning -- its private notes about your infrastructure before it acted. Every command it ran, including the full arguments. Every command's output, including credentials.
In our own test environment, we watched the agent run a routine task and return deployment credentials for live web applications.
An eavesdropper on a real target would have received the same. Silently. With nothing to indicate anyone else was on the line.
How Easy Was It?
All you need is the target agent's subdomain, the URL format is predictable and enumerable
About 15 lines of Python
Every deployed Azure SRE Agent instance was potentially reachable this way.
Disclosure
We reported this to Microsoft Security Response Center. They confirmed it, rated it Critical, and patched it server-side.
Note: At time of publication, Microsoft's advisory page for CVE-2026-32173 returns a 404. The NVD record is available at nvd.nist.gov/vuln/detail/CVE-2026-32173.
The Bigger Picture
This isn't a story about one missing permission check. It's about what happens when AI agents get deployed into sensitive environments before the security model catches up.
AI agents aggregate context by design. They pull data from your environment, reason about it, act on it. That's their value. It's also what makes an authorization failure in an agent far more damaging than the same failure in a conventional API.
When an AI agent is exposed, you don't lose one endpoint's data. You potentially lose everything it ever touched -- synthesized, reasoned about, and streamed in plain text.
What To Do
If you ran Azure SRE Agent during the preview period, treat that window as potentially exposed. Review any credentials, configuration data, or sensitive information that may have passed through agent conversations or CLI outputs.
If you're adopting it now at GA, the vulnerability is already closed. No action needed.
Building or deploying AI agents in production environments? Let's talk.
CVE-2026-32173 -- Azure SRE Agent Information Disclosure Vulnerability Published: April 2, 2026 | CVSS: 8.6 (HIGH) | CWE-287: Improper Authentication nvd.nist.gov/vuln/detail/CVE-2026-32173