CVE-2026-50324 exposes Active Directory Federation Services to an unauthenticated network-based denial-of-service attack, allowing a remote attacker to disrupt federation and potentially block users from signing in to dependent applications. Microsoft fixed the vulnerability in its July 14, 2026 security updates and rates it Important, with a CVSS 3.1 base score of 5.9.
Detailed in the Microsoft Security Response Center advisory and recorded by the National Vulnerability Database, the flaw is an infinite-loop condition in AD FS. Microsoft says an unauthorized attacker can trigger the loop over a network, consuming the service’s ability to process legitimate work without first obtaining credentials or persuading a user to take action.
There is no indication that CVE-2026-50324 was publicly disclosed or exploited before Microsoft released the patch. CISA’s initial assessment similarly records no known exploitation, while noting that the attack is not considered readily automatable. That lowers the immediate threat compared with July’s actively exploited vulnerabilities, but an identity service outage can still have an outsized operational impact.
The CVSS vector for CVE-2026-50324 is
The mitigating factor is high attack complexity. Microsoft’s public description does not explain which conditions must align, what request reaches the vulnerable code path, or how long the service remains impaired. Administrators should therefore avoid assuming that every Internet request can trivially crash an AD FS farm, while also recognizing that the attacker does not need a valid organizational identity once the required conditions are understood.
The underlying weakness is classified as CWE-835, a loop with an unreachable exit condition. Such a flaw can trap a process or thread in repeated execution, consuming processing capacity and preventing normal requests from completing. Microsoft has not publicly described whether recovery requires restarting the AD FS service, rebooting a node, waiting for a request to time out, or taking another corrective step.
That uncertainty matters because AD FS often sits directly in the authentication path for Microsoft 365, third-party software-as-a-service platforms, internally hosted applications, and legacy claims-aware systems. The vulnerability does not need to compromise credentials to cause business disruption; it only needs to make the federation endpoint unavailable at the wrong time.
The affected product boundaries published with the CVE include:
Windows Server 2022 receives the corrected OS build 20348.5386 through the July update identified as KB5099540. Windows Server 2012 R2 is associated with the July Monthly Rollup KB5099444. Administrators should use the Microsoft Security Update Guide, Windows Update, WSUS, Microsoft Configuration Manager, or the Microsoft Update Catalog to map the correct package to every deployed server edition and servicing model.
Extended Security Updates also matter here. Windows Server 2012 R2 is beyond mainstream support, and Windows 10 Version 1607 or 1809 installations may only receive fixes under particular servicing channels or support arrangements. The presence of a CVE entry does not mean every retired installation will automatically obtain the package through ordinary Windows Update.
A multi-node AD FS farm gives administrators room to patch in stages. Nodes can be removed from the load balancer, updated and restarted if required, validated, and returned to service before the next node is processed. Web Application Proxy servers and any network devices publishing the federation service should also be checked after the maintenance window, even though the vulnerable component is AD FS itself.
Post-update validation should cover more than whether the Windows service reports a running state. Teams should test interactive sign-in, application redirects, token issuance, relying-party trust behavior, certificate access, and authentication through external publishing infrastructure. Event Viewer, AD FS Admin logs, proxy logs, CPU utilization, request latency, and load-balancer health probes can reveal a node that is technically online but unable to complete federation transactions.
Administrators unable to deploy immediately should reduce unnecessary exposure without breaking legitimate federation traffic. Rate limiting, upstream request controls, monitoring for unusual request bursts, and ensuring that only required AD FS endpoints are published may constrain denial-of-service attempts, but Microsoft has not presented those measures as substitutes for the security update.
A restart-and-recovery procedure should also be ready before an incident. If exploitation traps an AD FS process in an infinite loop, operations staff need a tested path for draining the affected node, restarting the service or server, and confirming that token issuance has resumed. That preparation is especially important for single-server deployments, where there is no healthy farm member to absorb authentication traffic.
Administrators should not confuse CVE-2026-50324 with CVE-2026-56155, a separate AD FS elevation-of-privilege vulnerability that Microsoft identified as exploited in the wild. The two issues have different impacts and exploit status, but both strengthen the case for updating federation servers promptly rather than prioritizing solely by the 5.9 score attached to this denial-of-service flaw.
The public evidence behind CVE-2026-50324 is nevertheless strong. Microsoft is the CVE Numbering Authority, identifies the root cause as an unreachable-exit loop, supplies exact affected-version boundaries, and has shipped corrected builds. That makes the vulnerability vendor-confirmed, even though Microsoft has released few technical details that would help defenders recognize an attempted exploit.
For AD FS operators, the remaining question is therefore not whether the flaw exists, but whether every federation node has crossed the patched build boundary. Until that inventory is complete and sign-in flows have been validated after installation, an unauthenticated request capable of taking authentication capacity offline remains an avoidable risk.
Detailed in the Microsoft Security Response Center advisory and recorded by the National Vulnerability Database, the flaw is an infinite-loop condition in AD FS. Microsoft says an unauthorized attacker can trigger the loop over a network, consuming the service’s ability to process legitimate work without first obtaining credentials or persuading a user to take action.
There is no indication that CVE-2026-50324 was publicly disclosed or exploited before Microsoft released the patch. CISA’s initial assessment similarly records no known exploitation, while noting that the attack is not considered readily automatable. That lowers the immediate threat compared with July’s actively exploited vulnerabilities, but an identity service outage can still have an outsized operational impact.
A Medium Score Can Still Mean a Major Identity Outage
The CVSS vector for CVE-2026-50324 is AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H. In practical terms, the attacker can reach the vulnerable component over a network, needs no privileges, and requires no user interaction. Successful exploitation affects availability rather than exposing data or modifying the server.The mitigating factor is high attack complexity. Microsoft’s public description does not explain which conditions must align, what request reaches the vulnerable code path, or how long the service remains impaired. Administrators should therefore avoid assuming that every Internet request can trivially crash an AD FS farm, while also recognizing that the attacker does not need a valid organizational identity once the required conditions are understood.
The underlying weakness is classified as CWE-835, a loop with an unreachable exit condition. Such a flaw can trap a process or thread in repeated execution, consuming processing capacity and preventing normal requests from completing. Microsoft has not publicly described whether recovery requires restarting the AD FS service, rebooting a node, waiting for a request to time out, or taking another corrective step.
That uncertainty matters because AD FS often sits directly in the authentication path for Microsoft 365, third-party software-as-a-service platforms, internally hosted applications, and legacy claims-aware systems. The vulnerability does not need to compromise credentials to cause business disruption; it only needs to make the federation endpoint unavailable at the wrong time.
The Affected Range Reaches Back to Server 2012 R2
Microsoft’s CVE record identifies supported and extended-support Windows releases carrying the affected AD FS code. Both full installations and Server Core deployments are included where applicable.The affected product boundaries published with the CVE include:
- Windows Server 2012 R2 builds earlier than 6.3.9600.23291.
- Windows Server 2016 builds earlier than 10.0.14393.9339.
- Windows Server 2019 builds earlier than 10.0.17763.9020.
- Windows Server 2022 builds earlier than 10.0.20348.5386.
- Windows Server 2025 builds earlier than 10.0.26100.33158.
Windows Server 2022 receives the corrected OS build 20348.5386 through the July update identified as KB5099540. Windows Server 2012 R2 is associated with the July Monthly Rollup KB5099444. Administrators should use the Microsoft Security Update Guide, Windows Update, WSUS, Microsoft Configuration Manager, or the Microsoft Update Catalog to map the correct package to every deployed server edition and servicing model.
Extended Security Updates also matter here. Windows Server 2012 R2 is beyond mainstream support, and Windows 10 Version 1607 or 1809 installations may only receive fixes under particular servicing channels or support arrangements. The presence of a CVE entry does not mean every retired installation will automatically obtain the package through ordinary Windows Update.
Patch the Federation Farm Without Creating a New Outage
CVE-2026-50324 should be handled as an identity-availability issue rather than an isolated medium-severity workstation bug. Organizations with externally reachable AD FS endpoints should inventory federation servers, confirm their servicing status, and deploy the July 2026 cumulative security updates through the normal controlled-change process.A multi-node AD FS farm gives administrators room to patch in stages. Nodes can be removed from the load balancer, updated and restarted if required, validated, and returned to service before the next node is processed. Web Application Proxy servers and any network devices publishing the federation service should also be checked after the maintenance window, even though the vulnerable component is AD FS itself.
Post-update validation should cover more than whether the Windows service reports a running state. Teams should test interactive sign-in, application redirects, token issuance, relying-party trust behavior, certificate access, and authentication through external publishing infrastructure. Event Viewer, AD FS Admin logs, proxy logs, CPU utilization, request latency, and load-balancer health probes can reveal a node that is technically online but unable to complete federation transactions.
Administrators unable to deploy immediately should reduce unnecessary exposure without breaking legitimate federation traffic. Rate limiting, upstream request controls, monitoring for unusual request bursts, and ensuring that only required AD FS endpoints are published may constrain denial-of-service attempts, but Microsoft has not presented those measures as substitutes for the security update.
A restart-and-recovery procedure should also be ready before an incident. If exploitation traps an AD FS process in an infinite loop, operations staff need a tested path for draining the affected node, restarting the service or server, and confirming that token issuance has resumed. That preparation is especially important for single-server deployments, where there is no healthy farm member to absorb authentication traffic.
July’s AD FS Fixes Need Careful Triage
CVE-2026-50324 was one of several AD FS vulnerabilities addressed in Microsoft’s unusually large July 2026 Patch Tuesday release. BleepingComputer counted hundreds of Microsoft flaws in the release, including numerous denial-of-service issues and multiple vulnerabilities affecting Active Directory Federation Services.Administrators should not confuse CVE-2026-50324 with CVE-2026-56155, a separate AD FS elevation-of-privilege vulnerability that Microsoft identified as exploited in the wild. The two issues have different impacts and exploit status, but both strengthen the case for updating federation servers promptly rather than prioritizing solely by the 5.9 score attached to this denial-of-service flaw.
The public evidence behind CVE-2026-50324 is nevertheless strong. Microsoft is the CVE Numbering Authority, identifies the root cause as an unreachable-exit loop, supplies exact affected-version boundaries, and has shipped corrected builds. That makes the vulnerability vendor-confirmed, even though Microsoft has released few technical details that would help defenders recognize an attempted exploit.
For AD FS operators, the remaining question is therefore not whether the flaw exists, but whether every federation node has crossed the patched build boundary. Until that inventory is complete and sign-in flows have been validated after installation, an unauthenticated request capable of taking authentication capacity offline remains an avoidable risk.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com