A critical security flaw in the Azure API Management Developer Portal enables attackers to bypass administrator controls and register accounts across multiple tenants, even when user sign-up has been explicitly disabled.
The vulnerability remains unpatched as Microsoft considers it working “by design.”
The Vulnerability
Security researcher Mihalis Haatainen from Finnish cybersecurity firm Bountyy Oy discovered the flaw affecting Azure APIM Developer Portal instances configured with Basic Authentication.
The vulnerability allows attackers to create unauthorized accounts on any APIM instance with Basic Authentication enabled, regardless of whether administrators have disabled user registration through the portal interface.
The root cause stems from two critical issues. First, turning off signup in the Azure Portal UI only hides the registration form from view, leaving the underlying signup API endpoint fully functional.
Second, the signup API fails to validate that registration requests originate from the same tenant, allowing cross-tenant account creation through simple HTTP request manipulation.
Exploiting this vulnerability requires minimal technical sophistication. An attacker needs access to any APIM Developer Portal with signup enabled or can use their own APIM instance.
By intercepting a legitimate signup request and modifying the Host header to point to the target instance, attackers can successfully register accounts on victim portals that appear to have signup disabled.
This cross-tenant bypass works because the signup endpoint processes requests based solely on the Host header without enforcing tenant boundary validation.
Once registered, attackers gain access to potentially sensitive API documentation, subscription keys, and other resources exposed through the Developer Portal.
Microsoft’s Controversial Response
The researcher reported the vulnerability to Microsoft Security Response Center twice, first on September 30, 2025, and again on November 1, 2025, with additional technical details.
Both reports were closed by MSRC with the determination that the behavior is “by design” and does not constitute a security vulnerability.
Following Microsoft’s refusal to address the issue, the researcher reported it to CERT-FI before publicly disclosing the vulnerability on November 26, 2025. A CVE identifier was requested from MITRE on November 27, 2025.
Organizations running APIM instances are vulnerable if Basic Authentication is configured and the Developer Portal is accessible, regardless of UI signup settings.
The vulnerability enables cross-tenant account creation, bypasses administrative security controls, and potentially exposes internal API documentation and subscription keys to unauthorized external attackers.
APIM instances using only Azure AD or OAuth authentication are not affected, nor are instances where the Developer Portal is completely disabled, or the Basic Authentication provider has been entirely removed.
Organizations should immediately remove the Basic Authentication identity provider completely from their APIM instances rather than simply turning off signup in the UI.
Administrators should audit existing Developer Portal accounts for unauthorized registrations by reviewing creation timestamps and patterns.
Implementing Azure AD authentication as the exclusive identity provider enforces proper tenant boundaries and eliminates the vulnerability.
Organizations should regularly monitor portal signup activity and conduct periodic account audits.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.