Skip to main content

Azure Bot Service EUVDEUVD-2026-37945

| CVE-2026-32174 HIGH
Improper Authentication (CWE-287)
2026-06-18 microsoft GHSA-qv5v-67pv-5jmc
8.8
CVSS 3.1 · NVD
Temporal: 6.7
Share

Severity by source

Vendor (microsoft) PRIMARY
HIGH
qualitative
NVD
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CIRCL (temporal)
6.7 MEDIUM
cvss
vuln.today AI
8.8 HIGH

Network-reachable managed service (AV:N/AC:L) requiring an existing low-privilege authenticated foothold (PR:L) to elevate; no user interaction; high C/I/A consistent with privilege gain over bot resources.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (microsoft).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Jun 24, 2026 - 15:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 24, 2026 - 15:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 24, 2026 - 15:22 vuln.today
cvss_changed
CVSS changed
Jun 24, 2026 - 15:22 NVD
7.7 (HIGH) 8.8 (HIGH)
Analysis Generated
Jun 18, 2026 - 22:17 vuln.today
CVE Published
Jun 18, 2026 - 21:39 cve.org
HIGH 7.7

DescriptionNVD

Improper authentication in Azure Bot Service allows an authorized attacker to elevate privileges over a network.

AnalysisAI

Privilege elevation in Microsoft's Azure (AI) Bot Service lets an authenticated, network-based attacker bypass improper authentication checks (CWE-287) to gain higher privileges than originally granted. Tracked as CVE-2026-32174 (CVSS 8.8) and reported by Microsoft, it affects the cloud-hosted Azure Bot Service and carries high confidentiality, integrity, and availability impact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege bot/channel credential
Delivery
Send crafted authenticated request over network
Exploit
Bypass improper authentication check
Execution
Service grants elevated privileges
Impact
Access or modify bot resources beyond scope

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to already possess some legitimate, low-level authenticated access to Azure Bot Service (CVSS PR:L) reachable over the network (AV:N), but needs no user interaction (UI:N) and has low complexity (AC:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed but lean toward moderate, not emergency, priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who already holds a low-privilege, authenticated foothold to the Bot Service (for example a valid but limited channel token, bot identity, or tenant account) sends crafted requests over the network that the service fails to authenticate correctly, causing it to grant elevated privileges. With no user interaction and low attack complexity, the attacker then accesses or manipulates bot resources beyond their intended scope. …
Remediation Patch available per vendor advisory: Microsoft reports a fix is available, and because Azure Bot Service is a managed cloud service the remediation is applied server-side by Microsoft, so most customers require no manual update - confirm exposure and any required client/SDK or channel reconfiguration via the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32174. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Azure Bot Service deployments and document current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-37945 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy