Skip to main content

Microsoft Live Share Canvas SDK CVE-2026-45644

| EUVDEUVD-2026-35568 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-09 secure@microsoft.com GHSA-pc2q-pf7r-rf2w
8.0
CVSS 3.1 · Vendor: microsoft
Temporal: 7.0
Share

Severity by source

Vendor (microsoft) PRIMARY
8.0 HIGH
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
ENISA EUVD
HIGH
qualitative
CIRCL (temporal)
7.0 HIGH
cvss

Primary rating from Vendor (microsoft).

CVSS VectorVendor: microsoft

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
Jun 09, 2026 - 19:03 EUVD
Analysis Generated
Jun 09, 2026 - 18:03 vuln.today
CVE Published
Jun 09, 2026 - 17:17 nvd
HIGH 8.0

DescriptionCVE.org

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Live Share Canvas SDK allows an authorized attacker to elevate privileges over a network.

AnalysisAI

Privilege elevation via stored or reflected cross-site scripting in Microsoft Live Share Canvas SDK enables an authenticated attacker on the network to execute script in another user's browser context and gain elevated permissions within collaborative Live Share sessions. The CVSS 8.0 vector reflects high impact across confidentiality, integrity, and availability, though successful exploitation requires both low-level authentication and user interaction. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Technical ContextAI

Microsoft Live Share Canvas SDK is a developer toolkit that enables real-time collaborative inking, drawing, and shared visual surfaces inside Microsoft Teams meeting extensions and other Live Share-enabled applications, built on top of the Fluid Framework for low-latency state synchronization between participants. The root cause is CWE-79, improper neutralization of user-controlled input during web page generation, meaning data flowing through the shared canvas state or related rendering paths is rendered into the browser DOM without sufficient encoding or sanitization. Because Live Share content is mirrored across all session participants in near real-time, a payload injected by one participant is reflected into every other participant's rendered view, turning a classic XSS into a vector for cross-user privilege elevation within the hosting application's origin.

RemediationAI

Patch available per vendor advisory - consult the MSRC entry at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45644 and upgrade the @microsoft/live-share-canvas dependency in any application that embeds it to the fixed version specified there, then rebuild and redeploy affected Teams apps or Live Share-enabled clients. As a compensating control until the upgrade lands, restrict Live Share sessions to authenticated internal participants and disable external/guest access to meetings that use canvas-based collaborative extensions, accepting the trade-off that this blocks legitimate cross-tenant collaboration. Application developers consuming the SDK should also audit any custom render paths that surface canvas-derived data into HTML and apply contextual output encoding, recognizing this is a defense-in-depth measure and not a substitute for the vendor fix.

Share

CVE-2026-45644 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy