Description
Improper authentication in Azure Bot Service allows an authorized attacker to elevate privileges over a network.
Published: 2026-06-18
Score: 7.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw stems from improper authentication in Azure Bot Service. An attacker who already has authorized access can trick the service into granting higher privileges. This weakness could allow the attacker to manipulate bot configuration, access sensitive data, or execute arbitrary commands, compromising the confidentiality, integrity, and availability of the bot environment. The weakness corresponds to CWE‑287.

Affected Systems

The affected product is Microsoft Azure AI Bot Service. No specific versions are listed in the CNA data, so all deployments that use this service may be vulnerable until a fix is applied. The vulnerability is reported to affect the authentication layer operating over the service’s network interface.

Risk and Exploitability

The CVSS score of 7.7 indicates a high severity, and while EPSS is not available, the lack of a KEV listing suggests no publicly known exploit yet. The likely attack vector requires an authenticated user, but the escalation of privileges increases the potential impact. Mitigating by applying vendor patches should eliminate the flaw; until then, administrators should limit privileged access and monitor for anomalous activity.

Generated by OpenCVE AI on June 18, 2026 at 23:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest update or patch released by Microsoft for Azure AI Bot Service
  • Review and tighten IAM roles, ensuring least privilege for bot service users
  • Enable multi‑factor authentication for all privileged accounts interacting with the bot service
  • Monitor audit logs for unusual elevation attempts and enforce hardening policies

Generated by OpenCVE AI on June 18, 2026 at 23:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Improper authentication in Azure Bot Service allows an authorized attacker to elevate privileges over a network.
Title Azure Bot Service Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft azure Ai Bot Service
Weaknesses CWE-287
CPEs cpe:2.3:a:microsoft:azure_ai_bot_service:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft azure Ai Bot Service
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Azure Ai Bot Service
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-18T21:39:17.817Z

Reserved: 2026-03-10T23:09:43.267Z

Link: CVE-2026-32174

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T00:00:06Z

Weaknesses