cybr.cx — Daily Cybersecurity Intelligence Digest

May 09, 2026

Critical Vulnerabilities

CVE-2026-42826 — Azure DevOps | CVSS 10.0 (Critical)
A perfect-ten information disclosure flaw in Azure DevOps allows an unauthenticated attacker to exfiltrate sensitive data over the network. At maximum severity with no authentication required, this should be your first patch priority today. If you're running self-hosted Azure DevOps Server, assume exposure until you've confirmed you're on a patched build. Review pipeline secrets, PATs, and repository access logs immediately.

CVE-2026-42271 — LiteLLM (AI Gateway) | CVSS 8.8 (High)
Versions 1.74.2 through 1.83.6 of LiteLLM expose two MCP server test endpoints that accept raw server configuration — including executable commands and environment variables — without adequate restriction. An attacker who can reach these endpoints can achieve remote code execution on the host running the AI gateway. If you've deployed LiteLLM in any production or shared environment, update to 1.83.7 or later now and audit network exposure of those endpoints.

CVE-2026-39816 — Apache NiFi 2.0.0-M1 through 2.8.0 | CVSS 8.8 (High)
The TinkerpopClientService component is missing the Restricted annotation that should require the Execute Code permission before use. This means lower-privileged NiFi users can configure Groovy script execution via ByteCode Submission without elevated rights — a straightforward privilege escalation path in multi-tenant or enterprise NiFi deployments. Upgrade to a patched release and audit your controller service permissions.

CVE-2026-8137 / CVE-2026-8138 — Totolink X5000R & Tenda CX12L | CVSS 8.8 (High)
Two separate router vulnerabilities, both remotely exploitable buffer overflows — one in Totolink's DDNS handler, one in Tenda's PPTP server configuration function — with public exploits already circulating. These are the kind of bugs that feed botnets within days of disclosure. If either device is on your network perimeter or in scope for an OT/home-office estate, isolate or replace them; patches for consumer-grade kit at this stage are not guaranteed to arrive quickly.

CVE-2026-34327 — Microsoft Partner Center | CVSS 8.2 (High)
An externally controlled resource reference flaw enables network-based spoofing attacks against Microsoft Partner Center. Organisations operating as Microsoft partners or managing customer tenants through Partner Center should monitor for anomalous delegated admin activity while awaiting Microsoft's patch.

CVE-2026-41105 — Azure Notification Service | CVSS 8.1 (High)
An SSRF vulnerability in Azure Notification Service can be leveraged by an authenticated attacker to escalate privileges over the network. Internal metadata services and adjacent cloud resources are the obvious targets. Review who has authenticated access to this service and apply least-privilege controls as an interim mitigation.

Headline News

ShinyHunters vs. Instructure: A Broken Access Control Report, a Defacement, and a Pattern
ShinyHunters has claimed a second breach of Instructure — the company behind Canvas LMS — defacing login pages of multiple customer institutions with extortion messages. What makes this incident particularly damaging to Instructure's credibility is the timing: a researcher had reported a broken access control vulnerability to the company via its bug bounty programme eleven months earlier, received no bounty, and watched the report get closed as "not applicable." Community concern is running high over the scale of potential personal data exposure, given Canvas's deep penetration into K-12 and higher education — student records, assignment data, and institutional credentials are all in scope. For practitioners, this is a textbook case of vulnerability triage failure creating downstream breach liability. Bug bounty programmes that systematically dismiss access control findings are not security programmes; they're paperwork.

Nation-State Actors Exploited PAN-OS Zero-Day for Weeks Before Detection
Palo Alto Networks has confirmed that suspected state-sponsored threat actors exploited a critical zero-day in PAN-OS — tracked as CVE-2026-0300 — for several weeks before the vulnerability was identified and patched, gaining root-level access to internet-facing firewalls and taking active steps to cover their tracks. The multi-week dwell time before detection is the headline within the headline: perimeter devices are high-value targets precisely because they sit outside most EDR coverage, and nation-state actors know how to live quietly on network gear. Any organisation running PAN-OS firewalls should treat their perimeter devices as potentially compromised if they were exposed during the window, pull logs, check for configuration drift, and validate firmware integrity. This incident reinforces a persistent and uncomfortable truth — your firewall vendor is also an attack surface.

Dirty Frag: A New Linux Zero-Day LPE With No Patch Yet
A newly disclosed local privilege escalation vulnerability in the Linux kernel — dubbed "Dirty Frag" by its discoverer — affects all major distributions and provides a reliable path to root for any local user. The disclosure arrived with a proof-of-concept exploit and, critically, without coordinated patch or CVE assignment, after the embargo was broken prematurely. The lineage is notable: Dirty Frag belongs to the same class of memory-fragmentation-related kernel flaws as the recently disclosed Copy Fail vulnerability, suggesting this attack surface is receiving serious research attention. Until upstream patches land and distributions backport fixes, defenders should focus on reducing local access exposure — shared systems, container escapes, and multi-tenant environments are the immediate risk areas.

Schrödinger's Feed

China Claims First Dual-Core Neutral Atom Quantum Computer
Chinese researchers have announced what they're calling the first dual-core neutral atom quantum computer — a hardware architecture that uses neutral atoms (rather than superconducting qubits or trapped ions) as computational units, with two cores operating in a coupled configuration. Neutral atom platforms have been generating serious interest because of their potential scalability and long coherence times, and a dual-core architecture hints at a modular path toward larger systems. From a cryptography standpoint, we're still in the "interesting but not immediately threatening" zone for RSA and ECC — but every credible hardware milestone from any major nation's quantum programme is a data point for how quickly post-quantum migration timelines need to move. Practitioners responsible for long-lived data or infrastructure with multi-year refresh cycles should treat this as a reminder that PQC standardisation is done; the implementation clock is ticking.

/dev/random

AI Is Quietly Dismantling Both Sides of Vulnerability Culture
A thoughtful piece making the rounds argues that AI is simultaneously breaking the "responsible disclosure" culture (by making vulnerability discovery fast, cheap, and hard to embargo) and the "security through obscurity" culture (by making it easier to rediscover what vendors hoped nobody would find). The Dirty Frag embargo break landed on the same news cycle, which felt almost too on-the-nose. The uncomfortable thesis is that AI doesn't just accelerate attack and defence equally — it disproportionately disrupts the social contracts and gentlemen's agreements that the industry has quietly relied on for thirty years. Worth a read if you've ever filed a CVE and wondered whether the whole framework still makes sense.