Latest release contains critical CVE-2026-39892

[JimCooke]

Describe the bug

This software is failing our security scanning within our company, we have had to put in our own workaround but you need to upgrade your python cryptography version to 46.0.7+ (released on 2026-04-07)

Located at file /opt/az/lib/python3.13/site-packages/cryptography-46.0.6.dist-info

https://nvd.nist.gov/vuln/detail/CVE-2026-39892

Related command

No applicable

Errors

Not applicable .. the python package you are using contains a critical vulnerability

Issue script & Debug output

not applicable

Expected behavior

I want the security scans run by SecOps to pass

Environment Summary

root@b3e342e9acbf:/runner# az --version
azure-cli 2.85.0

core 2.85.0
telemetry 1.1.0

Dependencies:
msal 1.35.1
azure-mgmt-resource 24.0.0

Python location '/opt/az/bin/python3'
Config directory '/root/.azure'
Extensions directory '/root/.azure/cliextensions'

Python (Linux) 3.13.11 (main, Mar 31 2026, 07:18:38) [GCC 13.3.0]

Legal docs and information: aka.ms/AzureCliLegal

Your CLI is up-to-date.

Additional context

https://nvd.nist.gov/vuln/detail/CVE-2026-39892

[yonzhan]

Thank you for opening this issue, we will look into it.

[JimCooke]

for what it's worth, my container image is now passing security when I did this after installing the package

RUN curl -sL https://aka.ms/InstallAzureCLIDeb | bash &&
/opt/az/bin/python3 -m pip install --upgrade --no-cache-dir "cryptography>=46.0.7"

[github-actions]

This issue is related to security. Please pay attention.

Powered by issue-sentinel

[naga-nandyala]

HI

We have bumped the version, and it will be available in our next release 2.86.0. This will be available on 5th May 2026.
PR ref: e51a1c6

Thanks