Description
Weak authentication in Dynamics Business Central allows an authorized attacker to elevate privileges locally.
Published: 2026-05-12
Score: 7.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability arises from weak authentication handling within Microsoft Dynamics 365 Business Central. An attacker who already holds authorized credentials can exploit the flaw locally to elevate their privileges to a higher level, granting them broader access to system resources and sensitive data. The weakness is identified as CWE-1390 and allows the attacker to override the intended access controls without requiring additional exploitation steps beyond exploiting the authentication logic.

Affected Systems

Microsoft Dynamics 365 Business Central is affected in multiple releases: 2024 Release Wave 2, 2025 Release Wave 1, 2025 Release Wave 2, and 2026 Release Wave 1. Users deploying any of these versions on-premises or in cloud environments should verify their installation against the affected product list.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity level for privilege escalation. The EPSS score is not available, so the current probability of exploitation cannot be quantified, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires a locally authenticated user; therefore it is a local privilege escalation scenario. The attacker can leverage existing legitimate credentials and the weak authentication flow to gain elevated rights, potentially compromising confidentiality, integrity, and availability of the Business Central instance.

Generated by OpenCVE AI on May 12, 2026 at 20:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Microsoft security update that addresses CVE‑2026‑40417 from the Microsoft Security Update Guide
  • Restrict account permissions by enforcing least privilege for users with privileged roles until the patch is deployed
  • Disable or isolate any legacy authentication methods that may be susceptible to weak credential handling
  • Monitor authentication logs for unusual privilege escalation activity and confirm MFA is enforced where possible

Generated by OpenCVE AI on May 12, 2026 at 20:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Weak authentication in Dynamics Business Central allows an authorized attacker to elevate privileges locally.
Title Microsoft Dynamics 365 Business Central Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft dynamics 365 Business Central 2024
Microsoft dynamics 365 Business Central 2025
Microsoft dynamics 365 Business Central 2026
Weaknesses CWE-1390
CPEs cpe:2.3:a:microsoft:dynamics_365_business_central_2024:*:release_wave_2:*:*:*:*:*:*
cpe:2.3:a:microsoft:dynamics_365_business_central_2025:*:release_wave_1:*:*:*:*:*:*
cpe:2.3:a:microsoft:dynamics_365_business_central_2025:*:release_wave_2:*:*:*:*:*:*
cpe:2.3:a:microsoft:dynamics_365_business_central_2026:*:release_wave_1:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft dynamics 365 Business Central 2024
Microsoft dynamics 365 Business Central 2025
Microsoft dynamics 365 Business Central 2026
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Dynamics 365 Business Central 2024 Dynamics 365 Business Central 2025 Dynamics 365 Business Central 2026
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-05-13T03:56:27.315Z

Reserved: 2026-04-13T00:27:50.798Z

Link: CVE-2026-40417

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T18:17:19.817

Modified: 2026-05-12T18:17:19.817

Link: CVE-2026-40417

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T20:15:24Z

Weaknesses