GHSA-97jf-46m3-8953 · Severity: critical · Ecosystem: maven — Security feature bypass vulnerability in Azure Key Vault Keys library for Java
The Java Key Vault Keys library in the Azure SDK for Java contains an issue in the local cryptographic verification path where authentication tag comparison was implemented incorrectly. In affected applications that use the vulnerable local cryptography path, specially crafted encrypted input may bypass integrity verification checks. Operations delegated to the Key Vault service are not affected. The issue is addressed in version 4.10.6.
Conclusion & alert: CVE-2026-33117 is rated Moderate Risk (49.6/100): CVSS Critical severity, with low exploitation likelihood (EPSS 0.48%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-23 | 0.45% | 0.48% | +0.03% |
| 2 | 2026-06-15 | 0.03% | 0.45% | +0.41% |
| 3 | 2026-05-13 | — | 0.03% | — |
Full EPSS history (3 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 9.1 | 3.1 | CRITICAL |
|
3.9 | 5.2 | [email protected] |
GHSA-97jf-46m3-8953 · Severity: critical · Ecosystem: maven — Security feature bypass vulnerability in Azure Key Vault Keys library for Java
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| microsoft | azure_sdk_for_java | < 4.10.6 | cpe:2.3:a:microsoft:azure_sdk_for_java:*:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33117 | Vendor Advisory |