Description
Improper handling of insufficient permissions or privileges in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to elevate privileges over a network.
Published: 2026-06-09
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper handling of insufficient permissions in Microsoft Dynamics 365 (on-premises) lets an attacker who already has some authorization raise their privileges across the network. The vulnerability can allow the attacker to gain elevated access and potentially control system functions that should be restricted, leading to increased confidentiality and integrity risks.

Affected Systems

Microsoft Dynamics 365 (on-premises) version 9.1 is affected.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity. While an EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, the risk remains significant because the attack vector requires an authorized user with existing access, which is a realistic scenario in many environments. Exploitation would involve the attacker leveraging the application's insufficient permission checks to elevate privileges over the network, resulting in potential system compromise.

Generated by OpenCVE AI on June 9, 2026 at 18:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest security update for Microsoft Dynamics 365 on‑premises when released
  • Configure least‑privilege settings to limit authorized user permissions
  • Monitor for unapproved privilege changes and review audit logs regularly

Generated by OpenCVE AI on June 9, 2026 at 18:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft dynamics 365 Server
Vendors & Products Microsoft dynamics 365 Server

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Improper handling of insufficient permissions or privileges in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to elevate privileges over a network.
Title Microsoft Dynamics 365 (on-premises) Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft dynamics 365
Weaknesses CWE-280
CPEs cpe:2.3:a:microsoft:dynamics_365:*:*:*:*:on-premises:*:*:*
Vendors & Products Microsoft
Microsoft dynamics 365
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Dynamics 365 Dynamics 365 Server
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-09T21:50:33.246Z

Reserved: 2026-04-11T23:06:15.615Z

Link: CVE-2026-40371

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T17:17:05.970

Modified: 2026-06-09T19:32:51.440

Link: CVE-2026-40371

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T20:20:08Z

Weaknesses