Description
Server-side request forgery (ssrf) in Microsoft Dynamics 365 (Online) allows an unauthorized attacker to perform spoofing over a network.
Published: 2026-04-23
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery allowing unauthorized network spoofing
Action: Immediate Patch
AI Analysis

Impact

A server‑side request forgery flaw in Microsoft Dynamics 365 online lets an attacker craft requests that the server sends to arbitrary network resources. This vulnerability is identified as CWE‑918 and carries a CVSS score of 9.3, indicating a high‑severity security risk. An attacker who can trigger the flaw can potentially probe internal services, access sensitive data, or perform other unauthorized network actions.

Affected Systems

Microsoft Dynamics 365 (online). All currently deployed instances of the online service are affected; specific version information is not provided, so the issue applies to the entire product family.

Risk and Exploitability

The EPSS score of < 1% suggests that active exploitation is currently rare, but the high CVSS score and the fact that the flaw is not listed in the KEV catalog mean that it remains a significant threat. The vulnerability can be leveraged over the network via crafted HTTP requests to the Dynamics 365 service, a scenario that requires no privileged configuration. Because the exploit is known but low‑probability, organizations should not overlook it, especially given the potential for internal network reach.

Generated by OpenCVE AI on April 28, 2026 at 07:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest official security update for Microsoft Dynamics 365 online that addresses the SSRF flaw.
  • Restrict outbound traffic from the Dynamics 365 environment to only the endpoints that are required for normal operation, rejecting all other destinations.
  • Configure input validation or URL filtering on the Dynamics 365 service to prevent user‑supplied URLs from being used in server‑initiated requests.

Generated by OpenCVE AI on April 28, 2026 at 07:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft dynamics 365
CPEs cpe:2.3:a:microsoft:dynamics_365:-:*:*:*:online:*:*:*
Vendors & Products Microsoft dynamics 365

Fri, 24 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 22:00:00 +0000

Type Values Removed Values Added
Description Server-side request forgery (ssrf) in Microsoft Dynamics 365 (Online) allows an unauthorized attacker to perform spoofing over a network.
Title Microsoft Dynamics 365 (online) Spoofing Vulnerability
First Time appeared Microsoft
Microsoft dynamics 365 Online
Weaknesses CWE-918
CPEs cpe:2.3:a:microsoft:dynamics_365_online:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft dynamics 365 Online
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Dynamics 365 Dynamics 365 Online
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-05-12T17:37:45.490Z

Reserved: 2026-03-11T01:49:58.659Z

Link: CVE-2026-32210

cve-icon Vulnrichment

Updated: 2026-04-24T13:36:14.408Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-23T22:16:35.260

Modified: 2026-05-05T14:10:29.540

Link: CVE-2026-32210

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T07:30:26Z

Weaknesses