ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2026-35435 — Azure AI Foundry M365 Agents Elevation of Privilege via Improper Access Control

A short review of CVE-2026-35435, a critical improper access control vulnerability in Azure AI Foundry M365 published agents that allowed unauthenticated privilege escalation over the network. Microsoft has already mitigated this server-side, and no customer action is required. Includes patch details and governance recommendations.

CVE Analysis

6 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-07

Brief Summary: CVE-2026-35435 — Azure AI Foundry M365 Agents Elevation of Privilege via Improper Access Control
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

An improper access control flaw in Microsoft's Azure AI Foundry M365 published agents allowed an unauthenticated, network based attacker to escalate privileges and breach confidentiality boundaries, all without any user interaction. With a CVSS 3.1 base score of 8.6 and a "Critical" severity rating from Microsoft, this vulnerability is notable both for its impact profile and for the way it was disclosed: as part of Microsoft's newer transparency initiative to publicly document cloud service CVEs even when no customer patch is needed.

Microsoft has already resolved the issue entirely on the server side. There is nothing for customers to install or configure. But the vulnerability is worth understanding, particularly for organizations that publish AI agents to Microsoft 365 Copilot and Microsoft Teams, because it illustrates the kinds of access control risks that emerge when AI agent platforms are deeply integrated into enterprise collaboration surfaces.

Technical Information

Root Cause

CVE-2026-35435 is rooted in improper access control, classified under CWE-284. The flaw existed within the Azure AI Foundry M365 published agents feature, which allows organizations to deploy AI agents directly into Microsoft Teams and Microsoft 365 Copilot. The underlying issue was insufficient authorization enforcement in agent related operations, meaning the platform did not correctly validate privilege boundaries for certain network accessible requests.

CVSS Vector Breakdown

The full CVSS 3.1 vector string is:

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C

Breaking this down:

  • Attack Vector (AV:N): The vulnerability is exploitable over the network.
  • Attack Complexity (AC:L): Exploitation requires no special conditions or preparation.
  • Privileges Required (PR:N): The attacker needs no prior authentication or privileges.
  • User Interaction (UI:N): No victim action is needed.
  • Scope (S:C): A successful exploit can affect resources beyond the security scope managed by the vulnerable component itself. This is a significant detail: it means the access control failure could allow an attacker to reach into resources that the Azure AI Foundry agent component should not have been able to expose.
  • Confidentiality (C:H): High impact on confidentiality. Information access and disclosure protections are compromised.
  • Integrity (I:N) and Availability (A:N): Neither integrity nor availability is affected.

The temporal metrics indicate that exploit code maturity is unproven (E:U), an official fix exists (RL:O), and the report is confirmed (RC:C).

Attack Surface

The attack surface is the network facing interface of Azure AI Foundry M365 published agents. Because these agents are published into Microsoft Teams and Microsoft 365 Copilot, they operate within a collaboration environment that is broadly accessible across an organization. The "changed scope" designation in the CVSS vector tells us that exploitation could allow access to resources outside the agent's own security boundary, which in the context of M365 integration could mean exposure of data from connected services or tenant level information.

Microsoft has not disclosed specific exploit mechanics, detailed attack flow steps, or proof of concept code. This is consistent with their handling of exclusively hosted cloud service vulnerabilities, where the fix is deployed transparently and detailed technical specifics are withheld to prevent retroactive exploitation of unpatched edge cases.

Exploitability Assessment

Despite the absence of known active exploitation, Microsoft categorized this vulnerability's exploitability as "Exploitation More Likely." Given the combination of network accessibility, no authentication requirement, no user interaction, and high confidentiality impact, this assessment is reasonable. The attack prerequisites are minimal, which makes the flaw an attractive target for threat actors seeking unauthorized data access in enterprise environments.

Patch Information

CVE-2026-35435 affects Azure AI Foundry M365 published agents, a cloud hosted service managed entirely by Microsoft. Because this is an exclusively hosted service running on Microsoft's infrastructure with no customer managed components, the patch was applied server side by Microsoft and has already been fully deployed.

According to the official CVRF data from Microsoft's May 2026 Security Update cycle (retrieved via the MSRC API at api.msrc.microsoft.com/cvrf/v3.0/cvrf/2026-May), the vulnerability's remediation status is listed as "Mitigated," with no associated KB article (marked "Not Applicable") and no customer action required. This is consistent with how Microsoft handles security flaws in its exclusively hosted cloud services: the fix is rolled out transparently on the back end, and the advisory serves as public disclosure rather than a call to action for administrators.

The remediation tightens access control checks so that privilege boundaries are correctly enforced for agent related operations. While the exact code level changes are not publicly disclosed (as is typical for proprietary cloud service patches), the fix addresses the insufficient authorization enforcement that previously allowed an unauthenticated, network based attacker to escalate privileges within the M365 published agents feature.

The CVE was reserved on April 2, 2026 and published on May 7, 2026, indicating that Microsoft had sufficient time to develop and deploy the fix before the coordinated disclosure date. The NVD entry corroborates this, tagging the record as exclusively-hosted-service and referencing the MSRC advisory as the sole remediation source.

In short, if you are a user of Azure AI Foundry M365 published agents, there is nothing to install or update.

Proactive Governance Recommendations

While no patch action is required, organizations using Azure AI Foundry Agent Service should consider the following governance controls:

  • Enforce role based access control through Microsoft Entra and Azure RBAC to limit who can create and publish agents.
  • Require Microsoft 365 admin center approval for any agents published to the entire organization.
  • Test agents thoroughly in the Foundry portal before publishing to confirm they respond correctly and tools work as expected.
  • Avoid including secrets, API keys, or sensitive information in any metadata fields during the publishing process.

Affected Systems and Versions

The affected component is Azure AI Foundry M365 published agents. Microsoft has not provided specific version identifiers or version ranges, which is expected for an exclusively hosted cloud service where versioning is managed internally. The NVD entry tags this record as exclusively-hosted-service. All instances of the service have been mitigated server side by Microsoft.

Vendor Security History

Microsoft recently updated its Common Vulnerabilities and Exposures program rules to issue CVE records for critical cloud service vulnerabilities. This policy shift ensures that vulnerabilities with the potential to cause significant harm receive public documentation, regardless of whether customers need to install a patch or take other actions. CVE-2026-35435 was published under this new transparency framework, which represents a meaningful step forward in cloud security accountability. Microsoft maintains the Microsoft Security Response Center (MSRC) to investigate and resolve security vulnerabilities across its entire product portfolio.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization