ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2026-35438 — Windows Admin Center Privilege Escalation via Missing Authorization in Update API

A short review of CVE-2026-35438, a missing authorization flaw in the Windows Admin Center update API that lets low privileged authenticated users install arbitrary software versions, along with patch details for the official fix in version 2.6.5.16.

CVE Analysis

6 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-13

Brief Summary: CVE-2026-35438 — Windows Admin Center Privilege Escalation via Missing Authorization in Update API
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A missing authorization check in the Windows Admin Center update API quietly gave any low privileged authenticated user the ability to install arbitrary software versions on the management gateway, including downgrading to older builds carrying known vulnerabilities. For organizations that rely on Windows Admin Center as their centralized HTML5 portal for managing servers, clusters, and Azure VMs, this flaw (CVE-2026-35438, CVSS 8.3) turned the update mechanism itself into an attack surface that could undermine the integrity and availability of the entire administrative infrastructure.

Technical Information

Root Cause: Missing Authorization (CWE-862)

The core issue is a missing authorization check on the update API endpoint within Windows Admin Center. This endpoint is responsible for triggering software version installations and modifications. Under normal operation, only users with elevated administrative permissions should be able to invoke this functionality. However, the vulnerable implementation failed to enforce that authorization boundary, meaning any authenticated user with basic (low privilege) access could interact with the update API as though they held higher level permissions.

This weakness is classified under CWE-862 (Missing Authorization), which describes scenarios where software does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack Flow

The exploitation path for CVE-2026-35438 follows a straightforward sequence:

  1. Initial Access: The attacker authenticates to the Windows Admin Center instance over the network using a low privileged account. No special access conditions or extenuating circumstances are required; the attack complexity is rated Low.

  2. API Request Crafting: The attacker sends a specially crafted request to the Windows Admin Center update API endpoint. Because the endpoint lacks proper authorization checks, it does not verify whether the requesting user has sufficient privileges to perform update operations.

  3. Arbitrary Version Installation: The attacker leverages the unprotected API to install any available Windows Admin Center version from the update catalog. This includes the ability to:

    • Overwrite the current installation with the same version (disrupting service).
    • Downgrade to an older version that contains known, previously patched vulnerabilities.
    • Install a different build that alters the behavior of the management gateway.
  4. Impact Realization: The integrity impact is High because the attacker can overwrite or alter the existing installation. The availability impact is also High because normal operations can be completely disrupted. Confidentiality impact is rated Low; while the exploit does not directly expose sensitive data, installing an older version with known information disclosure flaws could create indirect exposure.

CVSS Breakdown

The full CVSS 3.1 vector string is:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H/E:U/RL:O/RC:C

Key observations from the metrics:

MetricValueSignificance
Attack VectorNetworkExploitable remotely across one or more network hops
Attack ComplexityLowNo specialized conditions required
Privileges RequiredLowOnly basic user capabilities needed
User InteractionNoneExploitable solely at the will of the attacker
ScopeUnchangedImpacts only the vulnerable component
Integrity ImpactHighExisting installation can be overwritten
Availability ImpactHighNormal operations can be completely disrupted
Confidentiality ImpactLowNo direct sensitive data exposure

The combination of network accessibility, low complexity, low privilege requirements, and no user interaction makes this vulnerability particularly accessible to any insider or compromised account holder on the network.

Patch Information

Microsoft addressed CVE-2026-35438 with an official security update released on May 12, 2026, as part of the May 2026 Patch Tuesday cycle. The fix is delivered as a new build of Windows Admin Center version 2.6.5.16, available for download at aka.ms/downloadWAC, with accompanying release notes at aka.ms/wac2511.

The patch in version 2.6.5.16 enforces proper authorization checks on the update API, ensuring that only users with the appropriate elevated permissions can trigger version installations or modifications through the Windows Admin Center update path. After the fix is applied, low privileged authenticated users can no longer manipulate the software update lifecycle.

Post update validation is important here. Administrators should verify that the Windows Admin Center installation is running the latest secure version after patching. Because the vulnerability specifically allows attackers to install older versions, confirming that low privileged users can no longer access the update API is a critical validation step.

A note on the Azure Portal variant: A related but distinct companion vulnerability, CVE-2026-41086, affects Windows Admin Center in Azure Portal and has its own separate fix (version 2.6.7), available at a different download location. Organizations running both on premises and Azure Portal variants of Windows Admin Center should ensure they apply both updates.

The vulnerability was reported by sho odagiri of GMO Cybersecurity by Ierae, Inc.

Affected Systems and Versions

Based on the available advisory data, the affected product is:

  • Microsoft Windows Admin Center (on premises variant), versions prior to 2.6.5.16

The vulnerability is exploitable in any deployment where Windows Admin Center is accessible over the network and low privileged users can authenticate to the instance. This includes physical, virtual, on premises, and hosted environments where Windows Admin Center is deployed as the management gateway.

Organizations should also evaluate their exposure to CVE-2026-41086 if they run the Azure Portal variant of Windows Admin Center, which requires a separate update to version 2.6.7.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization