CVE-2026-6276 is a vulnerability in Azure where a stale custom cookie host configuration can cause session cookies to be leaked to unintended parties. This could allow an attacker to intercept or reuse authentication cookies, potentially gaining unauthorised access to user sessions or sensitive data. It matters because cookie leakage in cloud-hosted applications can lead to account takeover without requiring credentials.

Security Architect’s Take: Review any Azure-hosted applications using custom cookie domain configurations and ensure cookie host settings are kept current and accurate — stale or misconfigured host entries should be audited and corrected promptly. Apply any available Microsoft patch and consider enforcing the Secure and SameSite=Strict cookie attributes as a defence-in-depth measure.

Original advisory: CVE-2026-6276 stale custom cookie host causes cookie leak