Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
5DescriptionCVE.org
Improper access control in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to disclose information locally.
AnalysisAI
Improper access control in Microsoft Dynamics 365 (on-premises) version 9.0 allows authenticated local attackers to disclose sensitive information without user interaction. The vulnerability stems from insufficient authorization checks that permit users with low-level privileges to access confidential data through local access vectors. This affects Dynamics 365 on-premises deployments up to version 9.0.0043.x, with vendor-released patches available from Microsoft.
Technical ContextAI
Microsoft Dynamics 365 (on-premises) implements role-based access control mechanisms to enforce information disclosure boundaries. The vulnerability is rooted in CWE-284 (Improper Access Control), indicating a flaw in how the application validates authorization decisions before exposing sensitive resources. The affected product is the on-premises variant of Dynamics 365 (CPE: cpe:2.3:a:microsoft:microsoft_dynamics_365_(on-premises)_version_9.0), which is commonly deployed in enterprise environments where local system access is available to multiple users with varying privilege levels. The improper access control allows users with low privileges (PR:L in CVSS) to bypass intended authorization controls and retrieve information marked for higher-privilege access.
RemediationAI
Vendor-released patch: Microsoft has published a security update addressing this vulnerability. Organizations should upgrade Microsoft Dynamics 365 (on-premises) version 9.0 to version 9.1.0044.0015 or later. The patch is available through the Microsoft Security Response Center (MSRC) at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33103. Administrators should apply this update during scheduled maintenance windows after testing in non-production environments. For environments where immediate patching is not possible, implement compensating controls such as restricting local system access to Dynamics 365 servers, enforcing principle of least privilege for service accounts, and monitoring access logs for anomalous information retrieval patterns.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22627
GHSA-2xv6-cw52-2cqc