Researcher Claims Microsoft Silently Patched Azure Backup for AKS Vulnerability

Microsoft is facing scrutiny after a security researcher claimed the company quietly changed Azure Backup for AKS behavior after rejecting a vulnerability report tied to Kubernetes cluster-admin access.

Microsoft faces questions over Azure Backup for AKS flaw

Security researcher Justin O’Leary says he found the issue in March 2026 and reported it to Microsoft on March 17. According to his account, the flaw allowed a user with the low-privileged Backup Contributor role to gain cluster-admin access inside an Azure Kubernetes Service cluster.

Microsoft rejected the report on April 13, saying the behavior required the attacker to already have administrator access. O’Leary disputes that conclusion and says the attack required no Kubernetes permissions before exploitation.

The CVE dispute adds to the controversy

O’Leary escalated the case to CERT Coordination Center, which reportedly validated the issue on April 16 and assigned it VU#284781. CERT planned public disclosure for June 1, 2026, but Microsoft allegedly contacted MITRE on May 4 to argue against issuing a CVE.

The case later closed under CNA hierarchy rules. Since Microsoft acts as the CNA for its own products, the company effectively controlled whether the issue received a CVE.

How the attack allegedly worked

The alleged flaw involved Azure Backup for AKS and its Trusted Access relationship with Kubernetes clusters. O’Leary says a Backup Contributor on a backup vault could trigger Azure to configure high-level permissions on a target AKS cluster.

That allegedly allowed the backup service to act with more authority than the user should have had. O’Leary described it as a Confused Deputy vulnerability involving Azure RBAC, Kubernetes RBAC, and the trust boundary between them.

Microsoft says no vulnerability existed

Microsoft told BleepingComputer it does not consider the behavior a security vulnerability. The company also said no product changes were made, no CVE was issued, and no CVSS score applies.

However, O’Leary says the original attack path no longer works. He reported new errors, including UserErrorTrustedAccessGatewayReturnedForbidden, and says Azure Backup for AKS now requires Trusted Access to be configured manually before backup can be enabled.

Defenders may still need to review access

The lack of a CVE leaves security teams without a simple way to track exposure. Organizations that granted Backup Contributor access before May 2026 may want to audit backup activity, vault permissions, and AKS-related role assignments.

In other security news, threat actors are abusing Microsoft Teams to spread ModeloRAT malware, while Exchange Server customers are also dealing with a critical OWA vulnerability.