Description
Weak authentication in Dynamics Business Central allows an authorized attacker to elevate privileges locally.
Published: 2026-05-12
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability arises from weak authentication handling within Microsoft Dynamics 365 Business Central. An attacker who already holds authorized credentials can exploit the flaw locally to elevate their privileges to a higher level, granting them broader access to system resources and sensitive data. The weakness is identified as CWE-1390 and allows the attacker to override the intended access controls without requiring additional exploitation steps beyond exploiting the authentication logic.

Affected Systems

Microsoft Dynamics 365 Business Central is affected in multiple releases: 2024 Release Wave 2, 2025 Release Wave 1, 2025 Release Wave 2, and 2026 Release Wave 1. Users deploying any of these versions on-premises or in cloud environments should verify their installation against the affected product list.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity level for privilege escalation. The EPSS score is not available, so the current probability of exploitation cannot be quantified, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires a locally authenticated user; therefore it is a local privilege escalation scenario. The attacker can leverage existing legitimate credentials and the weak authentication flow to gain elevated rights, potentially compromising confidentiality, integrity, and availability of the Business Central instance.

Generated by OpenCVE AI on May 12, 2026 at 20:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Microsoft security update that addresses CVE‑2026‑40417 from the Microsoft Security Update Guide
  • Restrict account permissions by enforcing least privilege for users with privileged roles until the patch is deployed
  • Disable or isolate any legacy authentication methods that may be susceptible to weak credential handling
  • Monitor authentication logs for unusual privilege escalation activity and confirm MFA is enforced where possible

Generated by OpenCVE AI on May 12, 2026 at 20:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft dynamics 365 Business Central
CPEs cpe:2.3:a:microsoft:dynamics_365_business_central:2024:release_wave_2:*:*:*:*:*:*
cpe:2.3:a:microsoft:dynamics_365_business_central:2025:release_wave_1:*:*:*:*:*:*
cpe:2.3:a:microsoft:dynamics_365_business_central:2025:release_wave_2:*:*:*:*:*:*
cpe:2.3:a:microsoft:dynamics_365_business_central:2026:release_wave_1:*:*:*:*:*:*
Vendors & Products Microsoft dynamics 365 Business Central

Wed, 13 May 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft dynamics 365 Business Central 2024 Wave 1
Microsoft dynamics 365 Business Central 2024 Wave 2
Microsoft dynamics 365 Business Central 2025 Wave 1
Microsoft dynamics 365 Business Central 2025 Wave 2
Vendors & Products Microsoft dynamics 365 Business Central 2024 Wave 1
Microsoft dynamics 365 Business Central 2024 Wave 2
Microsoft dynamics 365 Business Central 2025 Wave 1
Microsoft dynamics 365 Business Central 2025 Wave 2

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Weak authentication in Dynamics Business Central allows an authorized attacker to elevate privileges locally.
Title Microsoft Dynamics 365 Business Central Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft dynamics 365 Business Central 2024
Microsoft dynamics 365 Business Central 2025
Microsoft dynamics 365 Business Central 2026
Weaknesses CWE-1390
CPEs cpe:2.3:a:microsoft:dynamics_365_business_central_2024:*:release_wave_2:*:*:*:*:*:*
cpe:2.3:a:microsoft:dynamics_365_business_central_2025:*:release_wave_1:*:*:*:*:*:*
cpe:2.3:a:microsoft:dynamics_365_business_central_2025:*:release_wave_2:*:*:*:*:*:*
cpe:2.3:a:microsoft:dynamics_365_business_central_2026:*:release_wave_1:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft dynamics 365 Business Central 2024
Microsoft dynamics 365 Business Central 2025
Microsoft dynamics 365 Business Central 2026
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Dynamics 365 Business Central Dynamics 365 Business Central 2024 Dynamics 365 Business Central 2024 Wave 1 Dynamics 365 Business Central 2024 Wave 2 Dynamics 365 Business Central 2025 Dynamics 365 Business Central 2025 Wave 1 Dynamics 365 Business Central 2025 Wave 2 Dynamics 365 Business Central 2026
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-02T23:16:41.289Z

Reserved: 2026-04-13T00:27:50.798Z

Link: CVE-2026-40417

cve-icon Vulnrichment

Updated: 2026-05-13T10:00:54.242Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T18:17:19.817

Modified: 2026-06-03T01:19:19.580

Link: CVE-2026-40417

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T10:38:06Z

Weaknesses