CVE-2026-33117: Security feature bypass vulnerability in Azure Key Vault Keys library for Java

May 12, 2026 (updated June 2, 2026)

The Java Key Vault Keys library in the Azure SDK for Java contains an issue in the local cryptographic verification path where authentication tag comparison was implemented incorrectly. In affected applications that use the vulnerable local cryptography path, specially crafted encrypted input may bypass integrity verification checks. Operations delegated to the Key Vault service are not affected. The issue is addressed in version 4.10.6.

References

github.com/Azure/azure-sdk-for-java/commit/1b5c5c79d85a5c9a9cfd07f6cdff6fd0f50eccf9
github.com/Azure/azure-sdk-for-java/pull/48476
github.com/advisories/GHSA-97jf-46m3-8953
msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33117
nvd.nist.gov/vuln/detail/CVE-2026-33117

Code Behaviors & Features

Detect and mitigate CVE-2026-33117 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →