Azure SRE Agent flaw lets outsiders silently eavesdrop on enterprise cloud operations

A critical authentication flaw (CVE-2026-32173, CVSS 8.6) in Microsoft's Azure SRE Agent allowed any valid Entra ID account from any tenant to silently eavesdrop on live agent activity streams. The vulnerability stemmed from a multi-tenant app registration misconfiguration on the /agentHub WebSocket endpoint, which validated tokens but never verified tenant membership or authorization. Once connected, attackers received all broadcasted events including user prompts, internal reasoning traces, executed commands with full arguments, and credentials — with no trace left on the victim's side. Exploitation required only the target's predictable subdomain and ~15 lines of Python. Microsoft has patched the issue server-side with no customer action required, but organizations that used the agent during preview should treat that period as potentially compromised and rotate any credentials that passed through agent conversations.