Skip to main content

Microsoft CVE-2026-33103

| EUVDEUVD-2026-22627 MEDIUM
Improper Access Control (CWE-284)
2026-04-14 microsoft GHSA-2xv6-cw52-2cqc
5.5
CVSS 3.1 · NVD
Temporal: 4.8
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CIRCL (temporal)
4.8 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Generated
Apr 14, 2026 - 19:43 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 17:46 euvd
EUVD-2026-22627
Analysis Generated
Apr 14, 2026 - 17:46 vuln.today
Patch released
Apr 14, 2026 - 17:46 nvd
Patch available
CVE Published
Apr 14, 2026 - 16:58 nvd
MEDIUM 5.5

DescriptionCVE.org

Improper access control in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to disclose information locally.

AnalysisAI

Improper access control in Microsoft Dynamics 365 (on-premises) version 9.0 allows authenticated local attackers to disclose sensitive information without user interaction. The vulnerability stems from insufficient authorization checks that permit users with low-level privileges to access confidential data through local access vectors. This affects Dynamics 365 on-premises deployments up to version 9.0.0043.x, with vendor-released patches available from Microsoft.

Technical ContextAI

Microsoft Dynamics 365 (on-premises) implements role-based access control mechanisms to enforce information disclosure boundaries. The vulnerability is rooted in CWE-284 (Improper Access Control), indicating a flaw in how the application validates authorization decisions before exposing sensitive resources. The affected product is the on-premises variant of Dynamics 365 (CPE: cpe:2.3:a:microsoft:microsoft_dynamics_365_(on-premises)_version_9.0), which is commonly deployed in enterprise environments where local system access is available to multiple users with varying privilege levels. The improper access control allows users with low privileges (PR:L in CVSS) to bypass intended authorization controls and retrieve information marked for higher-privilege access.

RemediationAI

Vendor-released patch: Microsoft has published a security update addressing this vulnerability. Organizations should upgrade Microsoft Dynamics 365 (on-premises) version 9.0 to version 9.1.0044.0015 or later. The patch is available through the Microsoft Security Response Center (MSRC) at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33103. Administrators should apply this update during scheduled maintenance windows after testing in non-production environments. For environments where immediate patching is not possible, implement compensating controls such as restricting local system access to Dynamics 365 servers, enforcing principle of least privilege for service accounts, and monitoring access logs for anomalous information retrieval patterns.

Share

CVE-2026-33103 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy