CVE-2026-23655 is a security vulnerability classified under CWE-312, which involves the cleartext storage of sensitive information within Microsoft ACI Confidential Containers, specifically in the Azure Compute Gallery. The vulnerability affects version 1.0.0 of the product and was published on February 10, 2026. The flaw allows an attacker who is authorized with limited privileges (PR:L) and has network access (AV:N) to disclose sensitive data stored in cleartext without requiring user interaction (UI:N). The vulnerability impacts confidentiality (C:H) but does not affect integrity or availability. The scope is unchanged (S:U), meaning the impact is limited to the vulnerable component. The CVSS 3.1 base score is 6.5, reflecting a medium severity level. This vulnerability arises because sensitive information, potentially including secrets or credentials, is stored without encryption or adequate protection, making it accessible to attackers who can access the network and have some level of authorization. Although no exploits are currently known in the wild, the risk remains significant due to the sensitivity of the data exposed. The vulnerability is particularly relevant for organizations leveraging Microsoft ACI Confidential Containers for secure containerized workloads in Azure, as it undermines the confidentiality guarantees expected from confidential computing environments. No official patches or updates have been linked yet, so mitigation relies on operational controls and monitoring.

The primary impact of CVE-2026-23655 is the unauthorized disclosure of sensitive information stored in cleartext within Azure Compute Gallery used by Microsoft ACI Confidential Containers. This can lead to exposure of secrets, credentials, or other confidential data, potentially enabling further attacks such as privilege escalation, lateral movement, or data breaches. Since the vulnerability requires an attacker to have some authorized access and network connectivity, the risk is somewhat contained but still significant in environments where multiple users or services share access. The confidentiality breach could undermine trust in confidential computing solutions and expose organizations to compliance violations, intellectual property theft, and operational disruptions. The lack of impact on integrity and availability means the system's functionality remains intact, but the loss of confidentiality alone can have severe consequences depending on the nature of the exposed data. Organizations relying on Microsoft ACI Confidential Containers for sensitive workloads are at risk of data leakage, especially if internal access controls are weak or if attackers gain initial footholds within the network.

1. Restrict network access to Azure Compute Gallery and Microsoft ACI Confidential Containers to only trusted and necessary users and services, employing network segmentation and firewall rules. 2. Enforce strict role-based access control (RBAC) policies to minimize the number of users or services with privileges that could access sensitive information stored in cleartext. 3. Monitor access logs and network traffic for unusual or unauthorized access patterns to detect potential exploitation attempts early. 4. Avoid storing sensitive information in cleartext within container images or Azure Compute Gallery; instead, use Azure Key Vault or other secure secret management solutions integrated with confidential containers. 5. Regularly audit and review configurations and permissions related to Microsoft ACI Confidential Containers and Azure Compute Gallery to ensure adherence to the principle of least privilege. 6. Stay updated with Microsoft security advisories for patches or updates addressing this vulnerability and apply them promptly once available. 7. Consider implementing additional encryption layers or data protection mechanisms at the application level to reduce reliance on platform-level confidentiality guarantees. 8. Educate and train administrators and developers on secure handling of sensitive data within containerized environments to prevent inadvertent exposure.