Amazon Cognito now supports multi-Region replication, allowing user pool data — including credentials, configurations, and federation settings — to be synchronised to a standby Region in near real-time. This improves authentication resilience by enabling traffic failover during a regional outage without forcing users to re-authenticate. The feature is available as a paid add-on across most major AWS Regions.

Architect’s Take: Review your existing Cognito-based authentication architectures for single-Region dependencies and assess whether the Essentials or Plus tier add-on cost is justified by your RTO/RPO requirements. Ensure your incident response runbooks are updated to include Cognito traffic redirection procedures, and validate that federated identity providers (SAML/OIDC) are accessible from the secondary Region before declaring it ready for failover.

Original advisory: Amazon Cognito now supports multi-Region replication

AWS has introduced a new Lambda trigger for Amazon Cognito that allows developers to customise the federated sign-in process when users authenticate via external identity providers such as SAML, OIDC, or social logins. This enables teams to intercept and modify authentication flows at key points, such as attribute mapping or access decisions, without altering core Cognito configuration. The feature improves flexibility for organisations with complex identity federation requirements.

Architect’s Take: Review any existing custom authentication workarounds in your Cognito-integrated applications and assess whether this new trigger can consolidate or replace them — pay particular attention to how federated user attributes are mapped and validated, as improper handling here is a common source of privilege misassignment.

Original advisory: Customize federated sign-in with new Amazon Cognito Lambda trigger

Attackers are exploiting Meta’s AI support chatbot to hijack Instagram accounts by social-engineering the bot into adding a hacker-controlled email address and triggering a password reset. The attack requires no technical vulnerability in the traditional sense — the AI simply complies with the request after a verification code exchange. This highlights a significant trust and authorisation flaw in how Meta’s AI assistant handles account management actions on behalf of unauthenticated parties.

Architect’s Take: Treat AI-powered support agents as a privileged access vector and apply the same controls you would to any account recovery flow — ensure they cannot perform account modifications without verified, out-of-band identity confirmation tied to the existing account owner, not the requester.

Original advisory: Hacking Meta’s AI Chatbot

CVE-2026-39835 is a vulnerability in the Go standard cryptography library (golang.org/x/crypto/ssh) that allows a remote attacker to trigger a server panic — effectively crashing the SSH server — during the host key check or authentication phase. This is a denial-of-service risk affecting any service or application built with this Go SSH package, including components deployed on Azure. It matters because a crash during authentication can be exploited without valid credentials, making it trivially weaponisable.

Architect’s Take: Audit your Azure workloads and internal tooling for applications built with golang.org/x/crypto/ssh and prioritise patching to a fixed version of the library. Pay particular attention to Go-based microservices, infrastructure tooling, and any Azure-hosted SSH gateways or bastion services that may use this package.

Original advisory: CVE-2026-39835 Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh

CVE-2026-39828 is a vulnerability in the golang.org/x/crypto/ssh package that allows an attacker to bypass certificate-based restrictions in SSH connections. This could permit unauthorised access to systems that rely on SSH certificate validation as a security control. Services and applications built on Go that use this library for SSH communication — including Azure-hosted workloads — may be affected.

Architect’s Take: Audit any Go-based services deployed in your Azure environment that use golang.org/x/crypto/ssh for SSH connectivity, and update to the patched version of the library as soon as it is available. Pay particular attention to internal tooling, CI/CD pipelines, and infrastructure automation that may authenticate via SSH certificates.

Original advisory: CVE-2026-39828 Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh

A debug flag accidentally left enabled in production builds of multiple Microsoft 365 Android apps disabled a security check that restricts account token sharing to trusted Microsoft applications. As a result, any app installed on the same Android device could silently request and receive the signed-in user’s authentication token, granting full access to email, files, calendar, and the ability to send messages on their behalf. No user interaction, credentials, or elevated permissions were required to exploit this.

Architect’s Take: Audit your mobile application management (MAM) and Conditional Access policies to ensure app-based controls are enforced at the resource level and are not solely reliant on client-side token handling. Until Microsoft confirms a fully patched build is deployed, consider enforcing Continuous Access Evaluation (CAE) and restricting M365 access on Android to Intune-managed devices with compliant app versions.

Original advisory: Microsoft 365 Android Apps Let Any App Steal Account Tokens via Leftover Debug Flag

A debug flag accidentally left enabled in production builds of multiple Microsoft 365 Android apps disabled the trust check that normally restricts account-token sharing to authorised Microsoft applications. As a result, any app installed on the same Android device could silently request and receive a valid authentication token, granting full access to the victim’s email, files, calendar, and messaging without any user interaction or additional permissions. The flaw affects any user running a vulnerable Microsoft 365 Android app while also having a malicious or compromised app on the same device.

Architect’s Take: Mandate immediate updates to all affected Microsoft 365 Android apps across your managed device estate via your MDM/UEM solution, and review Conditional Access policies to detect anomalous token usage or unexpected app sign-ins. Consider temporarily blocking unmanaged Android devices from accessing Microsoft 365 resources until patched app versions are confirmed deployed.

Original advisory: Microsoft 365 Android Apps Let Any App Steal Account Tokens via Leftover Debug Flag

AWS IoT Core has introduced two new CloudWatch log event types: Ping logs for MQTT Keep-alive messages and Connection.AuthNError logs for failed authentication attempts. These logs help operators identify devices struggling to maintain connections and quickly diagnose certificate or credential failures across IoT fleets. This is an observability improvement rather than a security fix, but it meaningfully strengthens the ability to detect and respond to authentication anomalies.

Architect’s Take: Enable these new log event types in your AWS IoT Core logging configuration and consider creating CloudWatch Metric Filters or alarms on Connection.AuthNError events to surface potential credential misuse or certificate expiry issues proactively — particularly useful in large-scale fleets where silent authentication failures are easy to miss.

Original advisory: AWS IoT Core adds new logs to troubleshoot connectivity and authentication

AWS IoT Core has introduced two new CloudWatch log event types: Ping logs for MQTT keep-alive messages and Connection.AuthNError logs for failed authentication attempts. These additions give security and operations teams better visibility into device connectivity failures and credential or certificate issues across IoT fleets. This is a positive observability improvement rather than a vulnerability disclosure.

Architect’s Take: Enable event-level logging in AWS IoT Core and opt into both new event types immediately — feed Connection.AuthNError logs into your SIEM or CloudWatch alarms to detect potential credential stuffing or certificate misconfiguration across your IoT fleet at scale.

Original advisory: AWS IoT Core adds new logs to troubleshoot connectivity and authentication