{"@odata.context":"https://api.msrc.microsoft.com/sug/v2.0/sugodata/v2.0/en-US/$metadata#vulnerability/$entity","id":"00000000-0000-0000-0000-0000ba357600","releaseDate":"2026-05-07T07:00:00-07:00","cveNumber":"CVE-2026-35435","cveTitle":"Azure AI Foundry Elevation of Privilege Vulnerability","releaseNumber":"2026-May","vulnType":"Security Vulnerability","latestRevisionDate":"2026-05-07T07:00:00-07:00","description":"<p>Improper access control in Azure AI Foundry M365 published agents allows an unauthorized attacker to elevate privileges over a network.</p>\n","cweList":["CWE-284: Improper Access Control"],"cweDetailsListForSearch":["cwe: CWE-284: Improper Access Control","cweUrl: https://cwe.mitre.org/data/definitions/284.html"],"unformattedDescription":"Improper access control in Azure AI Foundry M365 published agents allows an unauthorized attacker to elevate privileges over a network.","mitreText":"CVE-2026-35435","mitreUrl":"https://www.cve.org/CVERecord?id=CVE-2026-35435","publiclyDisclosed":"No","exploited":"No","latestSoftwareReleaseId":1,"latestSoftwareRelease":"Exploitation More Likely","olderSoftwareReleaseId":0,"denialOfService":"N/A","tag":"Azure AI Foundry M365 published agents","issuingCna":"Microsoft","issuingCnaId":100000001,"severityId":100000000,"severity":"Critical","impactId":100000002,"impact":"Elevation of Privilege","langCode":"en-US","baseScore":"8.6","temporalScore":"7.5","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C","vectorStringSource":"Microsoft","isMariner":false,"customerActionRequired":false,"customerActionRequiredId":2,"cweDetailsList":[{"keys":["cwe","cweUrl"],"values":["CWE-284: Improper Access Control","https://cwe.mitre.org/data/definitions/284.html"]}],"articles":[{"title":"Azure AI Foundry M365 published agents Elevation of Privilege Vulnerability","articleType":"100000000","description":"<p>Improper access control in Azure AI Foundry M365 published agents allows an unauthorized attacker to elevate privileges over a network.</p>\n","ordinal":10000},{"articleType":"FAQ","description":"<p><strong>Why are there no links to an update or instructions with steps that must be taken to protect from this vulnerability?</strong></p>\n<p>This vulnerability has already been fully mitigated by Microsoft. There is no action for users of this service to take. The purpose of this CVE is to provide further transparency.</p>\n<p>Please see <a href=\"https://aka.ms/MSRC-Cloud-CVEs\">Toward greater transparency: Unveiling Cloud Service CVEs</a> for more information.</p>\n","ordinal":10000}],"revisions":[{"cveNumber":"CVE-2026-35435","version":1,"revisionDate":"2026-05-07T07:00:00-07:00","initialDate":"0001-01-01T00:00:00Z","description":"<p>Information published.</p>\n","unformattedDescription":"Information published.","notificationNeeded":true,"notificationSent":true,"sourceId":"b2a4890d-2539-f111-93fa-000d3afbc7d7"}]}