cve 2026 35428

CVE-2026-35428 is a critical Azure Cloud Shell spoofing vulnerability disclosed by Microsoft on May 7, 2026. The issue stems from a command-injection weakness that could allow spoofing attacks. Microsoft has already mitigated the vulnerability on the service side, meaning no customer action or patch installation is required. The CVE was published with confirmed report confidence but no evidence of public disclosure or active exploitation. This vulnerability highlights a shift in cloud security, where critical fixes are applied transparently by the provider rather than through traditional user-installed patches. Discussions on WindowsForum focus on the implications of such cloud-native vulnerabilities and the changing nature of vulnerability management in Azure environments.