CVE-2026-32196

Name of the Vulnerable Software and Affected Versions Windows Admin Center (affected versions not specified)

Description Improper neutralization of input during web page generation leads to cross-site scripting (XSS), which is a flaw where malicious scripts are injected into trusted websites. An unauthorized attacker can craft a malicious gateway URL that triggers a response-based XSS within the error handling of the software. When visited by a privileged Azure administrator, this allows JavaScript execution under the software origin. This can lead to arbitrary PowerShell execution on every managed server the victim has access to without requiring credentials. In on-premises deployments, this chain enables the theft of Azure access and refresh tokens from local storage, allowing for full tenant impersonation and lateral movement into EntraID and Azure.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.