Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable managed service (AV:N/AC:L) requiring an existing low-privilege authenticated foothold (PR:L) to elevate; no user interaction; high C/I/A consistent with privilege gain over bot resources.
Primary rating from Vendor (microsoft).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionNVD
Improper authentication in Azure Bot Service allows an authorized attacker to elevate privileges over a network.
AnalysisAI
Privilege elevation in Microsoft's Azure (AI) Bot Service lets an authenticated, network-based attacker bypass improper authentication checks (CWE-287) to gain higher privileges than originally granted. Tracked as CVE-2026-32174 (CVSS 8.8) and reported by Microsoft, it affects the cloud-hosted Azure Bot Service and carries high confidentiality, integrity, and availability impact. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to already possess some legitimate, low-level authenticated access to Azure Bot Service (CVSS PR:L) reachable over the network (AV:N), but needs no user interaction (UI:N) and has low complexity (AC:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed but lean toward moderate, not emergency, priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who already holds a low-privilege, authenticated foothold to the Bot Service (for example a valid but limited channel token, bot identity, or tenant account) sends crafted requests over the network that the service fails to authenticate correctly, causing it to grant elevated privileges. With no user interaction and low attack complexity, the attacker then accesses or manipulates bot resources beyond their intended scope. … |
| Remediation | Patch available per vendor advisory: Microsoft reports a fix is available, and because Azure Bot Service is a managed cloud service the remediation is applied server-side by Microsoft, so most customers require no manual update - confirm exposure and any required client/SDK or channel reconfiguration via the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32174. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Azure Bot Service deployments and document current versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Azure Ai Bot Service
View allImproper authorization in Azure Bot Framework SDK allows an unauthorized attacker to elevate privileges over a network.
Improper authorization in Azure Bot Framework SDK allows an unauthorized attacker to elevate privileges over a network.
Azure Bot Service Elevation of Privilege Vulnerability. Rated critical severity (CVSS 9.0), this vulnerability is remote
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37945
GHSA-qv5v-67pv-5jmc