Introduction
An improper access control flaw in Microsoft's Azure AI Foundry M365 published agents allowed an unauthenticated, network based attacker to escalate privileges and breach confidentiality boundaries, all without any user interaction. With a CVSS 3.1 base score of 8.6 and a "Critical" severity rating from Microsoft, this vulnerability is notable both for its impact profile and for the way it was disclosed: as part of Microsoft's newer transparency initiative to publicly document cloud service CVEs even when no customer patch is needed.
Microsoft has already resolved the issue entirely on the server side. There is nothing for customers to install or configure. But the vulnerability is worth understanding, particularly for organizations that publish AI agents to Microsoft 365 Copilot and Microsoft Teams, because it illustrates the kinds of access control risks that emerge when AI agent platforms are deeply integrated into enterprise collaboration surfaces.
Technical Information
Root Cause
CVE-2026-35435 is rooted in improper access control, classified under CWE-284. The flaw existed within the Azure AI Foundry M365 published agents feature, which allows organizations to deploy AI agents directly into Microsoft Teams and Microsoft 365 Copilot. The underlying issue was insufficient authorization enforcement in agent related operations, meaning the platform did not correctly validate privilege boundaries for certain network accessible requests.
CVSS Vector Breakdown
The full CVSS 3.1 vector string is:
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C
Breaking this down:
- Attack Vector (AV:N): The vulnerability is exploitable over the network.
- Attack Complexity (AC:L): Exploitation requires no special conditions or preparation.
- Privileges Required (PR:N): The attacker needs no prior authentication or privileges.
- User Interaction (UI:N): No victim action is needed.
- Scope (S:C): A successful exploit can affect resources beyond the security scope managed by the vulnerable component itself. This is a significant detail: it means the access control failure could allow an attacker to reach into resources that the Azure AI Foundry agent component should not have been able to expose.
- Confidentiality (C:H): High impact on confidentiality. Information access and disclosure protections are compromised.
- Integrity (I:N) and Availability (A:N): Neither integrity nor availability is affected.
The temporal metrics indicate that exploit code maturity is unproven (E:U), an official fix exists (RL:O), and the report is confirmed (RC:C).
Attack Surface
The attack surface is the network facing interface of Azure AI Foundry M365 published agents. Because these agents are published into Microsoft Teams and Microsoft 365 Copilot, they operate within a collaboration environment that is broadly accessible across an organization. The "changed scope" designation in the CVSS vector tells us that exploitation could allow access to resources outside the agent's own security boundary, which in the context of M365 integration could mean exposure of data from connected services or tenant level information.
Microsoft has not disclosed specific exploit mechanics, detailed attack flow steps, or proof of concept code. This is consistent with their handling of exclusively hosted cloud service vulnerabilities, where the fix is deployed transparently and detailed technical specifics are withheld to prevent retroactive exploitation of unpatched edge cases.
Exploitability Assessment
Despite the absence of known active exploitation, Microsoft categorized this vulnerability's exploitability as "Exploitation More Likely." Given the combination of network accessibility, no authentication requirement, no user interaction, and high confidentiality impact, this assessment is reasonable. The attack prerequisites are minimal, which makes the flaw an attractive target for threat actors seeking unauthorized data access in enterprise environments.
Patch Information
CVE-2026-35435 affects Azure AI Foundry M365 published agents, a cloud hosted service managed entirely by Microsoft. Because this is an exclusively hosted service running on Microsoft's infrastructure with no customer managed components, the patch was applied server side by Microsoft and has already been fully deployed.
According to the official CVRF data from Microsoft's May 2026 Security Update cycle (retrieved via the MSRC API at api.msrc.microsoft.com/cvrf/v3.0/cvrf/2026-May), the vulnerability's remediation status is listed as "Mitigated," with no associated KB article (marked "Not Applicable") and no customer action required. This is consistent with how Microsoft handles security flaws in its exclusively hosted cloud services: the fix is rolled out transparently on the back end, and the advisory serves as public disclosure rather than a call to action for administrators.
The remediation tightens access control checks so that privilege boundaries are correctly enforced for agent related operations. While the exact code level changes are not publicly disclosed (as is typical for proprietary cloud service patches), the fix addresses the insufficient authorization enforcement that previously allowed an unauthenticated, network based attacker to escalate privileges within the M365 published agents feature.
The CVE was reserved on April 2, 2026 and published on May 7, 2026, indicating that Microsoft had sufficient time to develop and deploy the fix before the coordinated disclosure date. The NVD entry corroborates this, tagging the record as exclusively-hosted-service and referencing the MSRC advisory as the sole remediation source.
In short, if you are a user of Azure AI Foundry M365 published agents, there is nothing to install or update.
Proactive Governance Recommendations
While no patch action is required, organizations using Azure AI Foundry Agent Service should consider the following governance controls:
- Enforce role based access control through Microsoft Entra and Azure RBAC to limit who can create and publish agents.
- Require Microsoft 365 admin center approval for any agents published to the entire organization.
- Test agents thoroughly in the Foundry portal before publishing to confirm they respond correctly and tools work as expected.
- Avoid including secrets, API keys, or sensitive information in any metadata fields during the publishing process.
Affected Systems and Versions
The affected component is Azure AI Foundry M365 published agents. Microsoft has not provided specific version identifiers or version ranges, which is expected for an exclusively hosted cloud service where versioning is managed internally. The NVD entry tags this record as exclusively-hosted-service. All instances of the service have been mitigated server side by Microsoft.
Vendor Security History
Microsoft recently updated its Common Vulnerabilities and Exposures program rules to issue CVE records for critical cloud service vulnerabilities. This policy shift ensures that vulnerabilities with the potential to cause significant harm receive public documentation, regardless of whether customers need to install a patch or take other actions. CVE-2026-35435 was published under this new transparency framework, which represents a meaningful step forward in cloud security accountability. Microsoft maintains the Microsoft Security Response Center (MSRC) to investigate and resolve security vulnerabilities across its entire product portfolio.
References
- NVD Entry for CVE-2026-35435
- MSRC Security Update Guide: CVE-2026-35435
- MSRC CVRF Data for May 2026
- CVE Record: CVE-2026-35435
- RedPacket Security Alert: CVE-2026-35435
- Microsoft: Toward Greater Transparency, Unveiling Cloud Service CVEs
- Publish Agents to Microsoft 365 Copilot and Microsoft Teams
- What is Microsoft Foundry Agent Service?
- What is Microsoft Foundry?
- Introducing the New Hosted Agents in Foundry Agent Service



