Microsoft Disputes Azure Backup Vulnerability Report, Researcher Says Silent Patch Contradicts the Denial

A security researcher says Microsoft quietly fixed a privilege escalation flaw in Azure Backup for Kubernetes after rejecting his disclosure report and blocking the issuance of a CVE — a sequence of events that has drawn scrutiny over how large vendors handle contested vulnerability findings.

Justin O'Leary discovered the flaw in March 2026 and reported it to Microsoft on March 17. The Microsoft Security Response Center rejected the report on April 13, characterizing the issue as one in which "the attacker already held administrator access" — a description O'Leary says fundamentally misrepresents the vulnerability.

"This is factually incorrect," O'Leary stated. "The vulnerability allows a user with zero Kubernetes permissions to gain cluster-admin. The attack does not require existing cluster access — it grants it."

The flaw centered on Azure Backup for AKS, which uses a Trusted Access mechanism to grant backup extensions cluster-admin privileges inside Kubernetes clusters. O'Leary's report contends that any user holding only the low-privileged "Backup Contributor" role on a backup vault could trigger that Trusted Access relationship without possessing any pre-existing Kubernetes permissions — effectively escalating from a limited role to full cluster control.

O'Leary classified the issue as a Confused Deputy vulnerability under CWE-441, in which Azure RBAC and Kubernetes RBAC trust boundaries interacted in a way that bypassed expected authorization controls.

After Microsoft's rejection, O'Leary escalated to the CERT Coordination Center, which independently validated the vulnerability on April 16 and assigned it tracking identifier VU#284781. CERT/CC initially scheduled public disclosure for June 1, 2026, but that date passed without disclosure. On May 4, Microsoft staff reportedly contacted MITRE recommending against CVE assignment, again arguing the issue required pre-existing administrative access. CERT/CC subsequently closed the case under CNA hierarchy rules, leaving Microsoft — which holds CNA status — with final authority over CVE issuance for its own products.

Microsoft told BleepingComputer in a statement: "Our assessment concluded that this is not a security vulnerability, but rather expected behavior that requires pre-existing administrative privileges within the customer's environment. Therefore, no product changes were made to address this report and no CVE or CVSS score were issued."

O'Leary disputes that characterization and points to behavioral changes he documented after his report became public. The original attack path no longer functions, returning an error — "UserErrorTrustedAccessGatewayReturnedForbidden: The Trusted Access role binding is missing/has gotten removed" — that did not exist during his March testing. Azure Backup for AKS now requires Trusted Access to be manually configured before backup can be enabled, reversing the earlier automatic configuration behavior. Additional permission checks have also appeared, with vault and cluster managed service identities now requiring permissions that were absent when O'Leary first documented the issue.

Microsoft has issued neither a public advisory nor customer notification.

The absence of a CVE leaves defenders without a standard mechanism to track their exposure window. "Organizations that granted Backup Contributor between an unknown start date and May 2026 were exposed to privilege escalation," O'Leary wrote. "Without a CVE, security teams cannot track this exposure. Silent patching protects vendors, not customers."

Microsoft also reportedly described O'Leary's submission to MITRE as "AI-generated content" — a characterization O'Leary says ignored the technical substance of his report entirely.

The dispute reflects a wider tension in the vulnerability disclosure ecosystem. Disagreements between researchers and major vendors over severity and exploitability have grown more common, compounded by concerns that AI-assisted bug reports are straining triage pipelines and making it harder for legitimate findings to receive timely review. The outcome of O'Leary's case — a contested silent fix with no public record — underscores the limits of responsible disclosure frameworks when vendor and researcher assessments diverge sharply.