🟠 High  |  Source: Microsoft Security Response Center


CVE-2026-8932 is a vulnerability in Azure involving incomplete mutual TLS (mTLS) configuration matching during connection reuse. When connections are reused, the system may fail to correctly validate mTLS settings, potentially allowing a connection authenticated under one certificate policy to be reused in a context where a different, stricter policy should apply. This could result in unintended access or information disclosure between workloads that rely on mTLS for mutual authentication.

Security Architect’s Take: Audit any Azure services or application configurations that rely on mTLS for workload-to-workload authentication and connection pooling — consider disabling connection reuse where strict per-request mTLS enforcement is critical until a patch is confirmed applied. Review service mesh and API gateway configurations (e.g. Azure API Management, AKS ingress controllers) that leverage mTLS to ensure connection reuse policies align with your trust boundaries.

Original advisory: CVE-2026-8932 incomplete mTLS config matching in conn reuse