Azure Custom Locations is a cloud infrastructure control-plane component. Privilege escalation in this layer gives an attacker the ability to deploy, modify, or destroy Azure services within the affected tenant or Arc-connected Kubernetes environment, including production workloads and data stores. The operational risk includes unauthorized access to business-critical applications running on Arc-enabled infrastructure, potential data exposure, and the possibility of an attacker using elevated access to persist and move laterally across connected cloud resources. For organizations using Azure Arc to manage hybrid or multi-cloud Kubernetes deployments, this vulnerability sits directly in the path of their cloud management layer.
You Are Affected If
You have Azure Arc enabled in one or more Azure subscriptions
You use Azure Custom Locations to configure Arc-enabled Kubernetes clusters as deployment targets
The Custom Locations Resource Provider (Microsoft.ExtendedLocation) is registered and active in your subscription
You have not yet applied the Microsoft patch for CVE-2026-26135 as published in the MSRC April 2026 update
Users or service principals with limited Azure roles have access to Arc-enabled resources within the affected tenant scope
Board Talking Points
A critical security flaw in Microsoft's Azure Arc cloud management platform allows an attacker who has gained any access to your cloud environment to elevate to near-administrative privileges over connected infrastructure.
The security team should apply Microsoft's patch for this vulnerability within 48-72 hours of its availability and audit cloud access permissions on Arc-connected systems immediately.
Without remediation, an attacker with limited initial access could gain control over production cloud workloads and data, turning a minor breach into a major one.
