Skip to main content

Microsoft Dynamics 365 CVE-2026-47647

| EUVDEUVD-2026-37947 CRITICAL
Improper Access Control (CWE-284)
2026-06-18 microsoft GHSA-vq29-76j3-6vh5
9.9
CVSS 3.1 · Vendor: microsoft
Temporal: 8.6
Share

Severity by source

Vendor (microsoft) PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CIRCL (temporal)
8.6 HIGH
cvss
vuln.today AI
9.9 CRITICAL

Network-reachable Dynamics 365 endpoint, low complexity, requires any authenticated low-priv user (PR:L), no UI; scope changes across authorization boundary with full CIA impact post-escalation.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (microsoft).

CVSS VectorVendor: microsoft

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 18, 2026 - 22:18 vuln.today
CVE Published
Jun 18, 2026 - 21:42 cve.org
CRITICAL 9.9

DescriptionCVE.org

Improper access control in Microsoft Dynamics 365 allows an authorized attacker to elevate privileges over a network.

AnalysisAI

Privilege escalation in Microsoft Dynamics 365 allows authenticated low-privileged users to gain elevated rights across a network due to improper access control enforcement. The flaw carries a critical CVSS 9.9 score with scope change, indicating impact beyond the vulnerable component, and Microsoft has issued a patch via MSRC. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged Dynamics 365 credentials
Delivery
Authenticate to tenant endpoint
Exploit
Send crafted authorization-bypass request
Execution
Gain elevated role across scope
Impact
Exfiltrate data or modify records

Vulnerability AssessmentAI

Exploitation Attacker must hold valid low-privileged authenticated access (PR:L) to a Microsoft Dynamics 365 instance - any legitimate user role suffices, but at least one set of working credentials or an OAuth token is required, meaning fully unauthenticated internet attackers cannot exploit this. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed but lean toward high priority: CVSS 9.9 with AV:N/AC:L/PR:L/UI:N/S:C and high CIA impact indicates trivial network exploitation by any authenticated user with broad blast radius, and Microsoft is the reporter which lends high source confidence. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker obtains low-privileged credentials to a Dynamics 365 tenant - for example via phishing a sales rep or compromising a contractor account - then issues a crafted API or web request that bypasses authorization checks and grants administrative or cross-org privileges. With elevated rights, the attacker exports customer PII, modifies financial records, or pivots to other Entra-protected resources made reachable by the scope-change impact.
Remediation Apply the Microsoft-released patch as documented in MSRC advisory https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47647; for Dynamics 365 Online tenants Microsoft typically rolls out fixes through the service automatically, but administrators should verify their tenant build and any required customer-side action in the Power Platform admin center. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Dynamics 365 deployments and identify users with low-privilege accounts; implement access logging and alerts for privilege escalation attempts. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-47647 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy