🟠 High | Source: Microsoft Security Response Center
CVE-2026-8924 describes a vulnerability involving trailing dot domains being used to set ‘super cookies’ that can bypass normal cookie scoping boundaries. This can allow an attacker to set cookies that are unexpectedly shared across subdomains or services, potentially leading to session hijacking or cross-site data leakage. The issue is particularly concerning in multi-tenant cloud environments where domain boundaries are relied upon for isolation.
Security Architect’s Take: Review any Azure-hosted applications that handle cookie-based authentication and ensure your cookie scoping policies explicitly reject or sanitise trailing dot domain inputs. Consider enforcing strict domain validation at the WAF or application gateway layer to prevent malformed domain names from influencing cookie behaviour.
Original advisory: CVE-2026-8924 trailing dot domain super cookie