Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Primary rating from Vendor (microsoft).
CVSS VectorVendor: microsoft
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Live Share Canvas SDK allows an authorized attacker to elevate privileges over a network.
AnalysisAI
Privilege elevation via stored or reflected cross-site scripting in Microsoft Live Share Canvas SDK enables an authenticated attacker on the network to execute script in another user's browser context and gain elevated permissions within collaborative Live Share sessions. The CVSS 8.0 vector reflects high impact across confidentiality, integrity, and availability, though successful exploitation requires both low-level authentication and user interaction. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Technical ContextAI
Microsoft Live Share Canvas SDK is a developer toolkit that enables real-time collaborative inking, drawing, and shared visual surfaces inside Microsoft Teams meeting extensions and other Live Share-enabled applications, built on top of the Fluid Framework for low-latency state synchronization between participants. The root cause is CWE-79, improper neutralization of user-controlled input during web page generation, meaning data flowing through the shared canvas state or related rendering paths is rendered into the browser DOM without sufficient encoding or sanitization. Because Live Share content is mirrored across all session participants in near real-time, a payload injected by one participant is reflected into every other participant's rendered view, turning a classic XSS into a vector for cross-user privilege elevation within the hosting application's origin.
RemediationAI
Patch available per vendor advisory - consult the MSRC entry at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45644 and upgrade the @microsoft/live-share-canvas dependency in any application that embeds it to the fixed version specified there, then rebuild and redeploy affected Teams apps or Live Share-enabled clients. As a compensating control until the upgrade lands, restrict Live Share sessions to authenticated internal participants and disable external/guest access to meetings that use canvas-based collaborative extensions, accepting the trade-off that this blocks legitimate cross-tenant collaboration. Application developers consuming the SDK should also audit any custom render paths that surface canvas-derived data into HTML and apply contextual output encoding, recognizing this is a defense-in-depth measure and not a substitute for the vendor fix.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35568
GHSA-pc2q-pf7r-rf2w