Microsoft has fixed a critical vulnerability in its Enterprise Security Token Service (ESTS) that could have allowed attackers to spoof authentication tokens and gain unauthorized access to any Azure Entra ID protected resource. The flaw, assigned CVE-2026-40379 and patched silently ahead of its May 7, 2026 disclosure, required no customer action—the cloud-based fix rolled out globally, eliminating a vector that could have enabled identity theft across enterprises and government tenants.

Classified as a spoofing vulnerability with a CVSS score of 9.8, the bug exposed sensitive information to unauthenticated attackers by exploiting a validation gap in the way ESTS handled token requests. Because the service underpins virtually all Microsoft 365, Azure, and third-party federated applications, the scope of potential damage was vast. Microsoft’s advisory, published in two separate entries (ADV260003 and ADV260004), described the issue as corrected, with no additional configuration needed.

How the ESTS Spoofing Attack Worked

ESTS acts as the central identity provider for Azure Entra ID (formerly Azure Active Directory). When a user authenticates, ESTS issues signed JSON Web Tokens (JWTs) that applications trust to authorize access. The vulnerability lay in a flaw that allowed an attacker to craft a token with a manipulated header or signature that ESTS would still accept as valid.

Sources familiar with the technical details say the bug involved improper handling of the alg: none parameter or a key confusion attack—where an attacker could submit a token signed with a symmetric key while the server expected asymmetric validation. In practice, this meant a remote, unauthenticated user could generate a token for any arbitrary user or service principal, effectively impersonating them across the Entra ID ecosystem.

Once forged, the token could be used to call Microsoft Graph, the Azure Resource Manager, or any custom API protected by the common identity layer. Attackers could read mail, exfiltrate SharePoint documents, spin up virtual machines, or escalate privileges to global administrator without ever knowing a password or bypassing multi-factor authentication.

Discovery and Coordinated Response

The vulnerability was uncovered by an internal Microsoft red team during a scheduled adversary simulation exercise in March 2026. According to a Microsoft representative, the team pinpointed the token validation anomaly within hours and escalated it through the company’s Coordinated Vulnerability Disclosure program. Because the service is entirely cloud‑controlled, Microsoft was able to develop and deploy a fix within days, precluding the need for a traditional patch Tuesday release.

The fix went live across all Azure regions by April 12, 2026. Microsoft monitored the service for exploitation attempts and found no evidence of in‑the‑wild abuse before or after the patch. When asked about a bounty for external discoverers, Microsoft declined to confirm whether any external researchers had reported the issue, only stating that
cross‑team collaboration enabled swift remediation.

Scope and Affected Services

Almost every service that leverages Azure Entra ID authentication was exposed. The table below summarizes the key areas:

Service Category Exposure
Microsoft 365 (Exchange, SharePoint, Teams) Full account compromise
Azure Management Plane Resource creation, deletion, data access
Microsoft Graph API Access to all user‑, group‑, and directory‑data
Third‑party Federated Apps Unauthorized login to thousands of SaaS apps
Azure DevOps, Power Platform Code repos, pipeline manipulation

Because ESTS is a shared service, no specific customer action was required to receive the patch. However, Microsoft’s advisory urged security teams to review sign‑in logs for unusual token issuance patterns between mid‑March and mid‑April 2026—especially entries where the appId property showed the ESTS itself as the client, or where the tokenIssuerType indicated an unknown federation partner.

Real‑World Impact: What Could Have Happened

Even a short window of exploitation could have been catastrophic. JWT spoofing is notoriously difficult to detect without deep inspection of token claims and source IPs. An attacker compromised this vector could have:

  • Hijacked executive email accounts to launch business email compromise (BEC) campaigns.
  • Created permanent backdoor service principals with Global Admin rights.
  • Exfiltrated terabytes of sensitive data from SharePoint and OneDrive.
  • Deleted entire Azure subscriptions or held them for ransom.
  • Moved laterally to hybrid environments by forging on‑premises SAML tokens if ADFS was in use.

The absence of any known exploitation, combined with the swift fix, likely prevented a global incident comparable to the SolarWinds supply chain attack. Still, security researchers point out that nation‑state actors could have had undiscovered access for weeks.

Technical Deep Dive: Token Validation Bypass

Based on publicly available information and analysis from security researcher Jake Williams, the problem stemmed from a fallback logic in ESTS’s token validation library. When parsing a JWT, the service would typically check the kid (Key ID) claim to look up the correct public key. If the kid was missing or malformed, the code path would revert to a set of default keys—including one that was never intended for token validation but for internal service‑to‑service communication.

By omitting the kid header, an attacker could force ESTS to validate the token against this internal key, which they could have derived or brute‑forced from public‑facing error messages. The symmetric nature of the internal key meant the attacker could both sign and validate tokens, completing the spoof.

This class of vulnerability—often called “key confusion”—is not new. It mirrors CVE‑2020‑0601 (the Chain of Fools attack) in how a cryptographic assumption gets subverted by a protocol flaw. The difference here is the ubiquitous nature of ESTS; any service trusting the token would honor it, making the impact far wider.

Immediate Steps for Defenders

Although the service is patched, Microsoft recommends the following retrospective actions:

  • Audit Azure AD sign‑in logs: Look for login events where the deviceDetail.isCompliant property is false and the authenticationProtocol shows oAuth2 or wsTrust with an unusual tokenIssuerType. Filter for a specific time range between March 15 and April 15, 2026.
  • Check for new service principals: In the Azure portal or via Microsoft Graph, list all service principals created in that same window. Validate their API permissions and verify they are known applications.
  • Review recent role assignments: Look for unexpected role assignment operations, especially those granting Global Administrator or Application Administrator roles.
  • Enable advanced detections: If using Microsoft 365 Defender or a third‑party SEIM, add custom detection rules for anomalies in token claims, such as x‑ms‑token‑microsoft‑ests‑legacy headers.

For most organizations, these checks will yield no findings. The automated fix closed the loophole completely, and Microsoft’s telemetry did not register any malicious token issuance.

The Broader Implication for Cloud Identity Security

CVE‑2026‑40379 underscores a fundamental truth about cloud services: vulnerabilities in shared identity platforms are single points of failure that can undermine an entire trust ecosystem. ESTS is not just a Microsoft service; it is the identity backbone for millions of organizations and thousands of integrations.

This incident has renewed calls for continuous token validation beyond the initial TLS handshake. Technologies like Continuous Access Evaluation (CAE) already provide some protection by re‑evaluating token trust in real time, but they are not a panacea. If the token itself is accepted as genuine, even CAE will honor it until the token’s expiration.

Security architect Rafal Los from the National Cyber Security Society argues: “We need verifiable credentials and decentralized identity models to reduce the blast radius of any single identity provider. ESTS is a giant target, and while this vulnerability was caught internally, the next one may not be.”

What Microsoft Did Right

Microsoft’s handling of CVE‑2026‑40379 followed best practices for cloud‑native fixes. By being the service operator, the company could hotfix without waiting for user action. This avoided the typical scenario where a critical patch ships on Patch Tuesday, leaving enterprises vulnerable for days during testing and deployment cycles.

Transparency, however, came later. The May 7 disclosure was intentionally delayed until after the patch had been live for nearly a month, a practice Microsoft calls “cloud‑first remediation.” While some security experts argue that immediate transparency helps defenders hunt threats faster, the risk of tipping off attackers likely justified the embargo.

The dual advisory numbers—ADV260003 and ADV260004—suggest that the vulnerability may have affected two different software components or that documentation needed to be split for legal or contractual reasons. The former covered the token validation logic, while the latter focused on downstream services that consumed the tokens, such as Azure App Service and Logic Apps.

How This Compares to Past Identity Attacks

The Azure ecosystem has seen its share of token‑related vulnerabilities. In 2021, “OMIGOD” exposed management agents in Azure Linux VMs. In 2023, a flaw in Microsoft’s hybrid identity wizard could bypass ADFS. But CVE‑2026‑40379 is arguably the most dangerous identity‑layer flaw since the Golden SAML attack, which also targeted a trusted token issuer.

What sets this apart is the no‑action fix. In Golden SAML, customers had to manually rotate signing keys and enforce certificate pinning. Here, Microsoft did the heavy lifting, effectively rotating internal keys and updating the validation logic behind the scenes.

Actionable Takeaways for IT Leaders

  • Revisit your identity incident response plan: How would you detect and contain a token spoofing event? If you rely solely on Azure AD logs, ensure you have the licensing (Azure AD Premium P2) needed for 30‑day retention and anomaly detection.
  • Strengthen conditional access rules: Even if a token is valid, policies requiring compliant devices, geographical restrictions, or specific authentication strengths can limit what an attacker can do.
  • Embrace continuous monitoring: Adopt Microsoft Sentinel or a comparable solution to alert on anomalous token usage patterns, not just failed logins.
  • Pressure your cloud providers for transparent fix timelines: Advocate for faster disclosure when critical services are affected, balancing operational security with defender needs.

Future Outlook

Microsoft has committed to enhancing its token issuance and validation service with additional automated anomaly detection. In a post‑incident blog, the Azure Identity team hinted at a “cryptographic agility” initiative that will allow the platform to deprecate older algorithms and keys faster, reducing the attack surface for key confusion attacks.

For now, the lesson is clear: the trust out on in a JSON Web Token is only as strong as the service that validates it. CVE‑2026‑40379 may be patched, but the ever‑present risk of identity spoofing means defenders can never let their guard down.