Description
Improper control of generation of code ('code injection') in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code over a network.
Published: 2026-05-12
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability results from an improper control of code generation processes that permits authorized users to supply malicious code that is subsequently executed in the server context. This leads to complete compromise of confidentiality, integrity, and availability of the Dynamics 365 instance, as an attacker can run arbitrary code on the server over the network. The weakness is a classic code injection flaw (CWE‑94).

Affected Systems

The flaw affects Microsoft Dynamics 365 On‑Premises version 9.1. Users running this version on any environment must confirm that the system has the latest update applied; no other versions are currently listed.

Risk and Exploitability

The CVSS score of 9.9 indicates critical severity, and the vulnerability is listed on Microsoft's Security Update Guide, but no EPSS score is provided. The vulnerability requires the attacker to already be authorized to the application, meaning an internal or compromised account is likely needed. Because the flaw enables remote code execution, an attacker who can exploit it will have full control of the affected server. The CISA KEV catalog does not list it, so no known widespread exploitation at this time.

Generated by OpenCVE AI on May 12, 2026 at 19:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Microsoft security update for Dynamics 365 9.1 (refer to the Microsoft Security Update Guide entry for CVE‑2026‑42898).
  • Limit network access to the Dynamics 365 server to only trusted, authorized IP ranges and enforce MFA for all users with administrative rights.
  • Ensure that code generation features are disabled or strictly validated; configure the system to reject any user input that contains executable code unless it is digitally signed.

Generated by OpenCVE AI on May 12, 2026 at 19:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Improper control of generation of code ('code injection') in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code over a network.
Title Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft dynamics 365
Weaknesses CWE-94
CPEs cpe:2.3:a:microsoft:dynamics_365:*:*:*:*:on-premises:*:*:*
Vendors & Products Microsoft
Microsoft dynamics 365
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Dynamics 365
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-09T19:33:13.100Z

Reserved: 2026-04-30T22:35:54.967Z

Link: CVE-2026-42898

cve-icon Vulnrichment

Updated: 2026-05-12T19:22:11.541Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T18:17:26.610

Modified: 2026-05-14T14:31:46.783

Link: CVE-2026-42898

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T22:00:18Z

Weaknesses