🟠 High  |  Source: Microsoft Security Response Center


CVE-2026-9545 is a vulnerability in HTTP/3 early data (also known as 0-RTT data) handling within Microsoft Azure, which could expose sensitive request data to attackers. Early data in HTTP/3 is replayed before a full TLS handshake is complete, making it susceptible to replay attacks and potential information disclosure. This matters because Azure-hosted applications using HTTP/3 could inadvertently leak user data or session information without any direct user interaction.

Security Architect’s Take: Audit any Azure services and API gateways you operate that have HTTP/3 enabled, and consider disabling 0-RTT early data support until a patch is applied or Microsoft confirms mitigating controls — pay particular attention to workloads handling sensitive or authenticated requests.

Original advisory: CVE-2026-9545 exposing HTTP/3 early data