Windows Admin Center CVE-2026-26119 Lets Low-Privilege Users Silently Escalate to Admin

Microsoft disclosed and patched CVE-2026-26119 on February 17, 2026 as part of its monthly security release cycle. The vulnerability carries a CVSS score of 8.8 and affects Windows Admin Center version 2.6.4. It allows an authenticated but low-privileged network user to silently elevate their privileges across an enterprise management plane, inheriting the authority of the account under which Windows Admin Center runs.

Technical Details

The flaw is classified as improper authentication (CWE-287). Windows Admin Center's backend endpoints rely on the initial authentication context without performing consistent, per-action authorization checks. A malicious actor with valid but low-privilege credentials can craft specific API calls that the server incorrectly treats as permitted at a higher privilege level.

No additional user interaction is required after the initial authenticated session is established, making silent exploitation feasible in any environment where an attacker already holds even minimal valid credentials. Because Windows Admin Center is commonly deployed to manage fleets of Windows servers centrally, successful exploitation provides an attacker with broad lateral reach across managed infrastructure.

Patch Status and Recommended Action

Microsoft released the patch on February 17, 2026. As of initial advisories, no confirmed active exploitation in the wild has been publicly reported, but vendors warn that the vulnerability is straightforward to exploit and recommend immediate remediation.

Administrators running Windows Admin Center should apply the update without delay. As an interim measure, restricting network access to the Windows Admin Center management interface to trusted management subnets reduces exposure. Organizations should also audit which accounts have any level of access to Admin Center instances and rotate credentials where appropriate while the patch is applied.