HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-40371Published Modified CNA microsoft

CVE-2026-40371: Microsoft Dynamics 365 (on-premises) Elevation of Privilege Vulnerability

Improper handling of insufficient permissions or privileges in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to elevate privileges over a network.

Metrics

CVSS v3.1
8.8
Severity
HIGH
Fixed in
9.1.0045.0011
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An elevation-of-privilege vulnerability exists in Microsoft Dynamics 365 (on-premises) stemming from improper handling of insufficient permissions. The flaw is reachable over the network by any authenticated user holding a low-privilege account, with no additional interaction required. Successful exploitation gives the attacker full control over confidentiality, integrity, and availability of the affected Dynamics 365 instance. A patched-image rebuild at version 9.1.0045.0011 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-40371 is available across every HarborGuard environment, with ingestion from upstream feeds occurring within minutes of publication and matching applied against images in customer registries, CI/CD pipelines, and custom-built images. Any image derived from an affected Microsoft Dynamics 365 (on-premises) 9.1 base prior to 9.1.0045.0011 is flagged automatically.

Available
Triage

HarborGuard scores this CVE at 8.8 HIGH using the CVSS v3.1 vector and weights findings against each customer organization's compliance policy to determine urgency and routing. Triage notifications are directed to the appropriate team inbox within each customer org based on configured ownership rules.

Available
Patch

A patched-image rebuild pinned to version 9.1.0045.0011 becomes available on HarborGuard once the upstream fix is confirmed in the advisory feed. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the Dynamics 365 service over the network; there is no local or physical access requirement.

  • AuthenticationRequired

    The attacker must hold a valid account on the system, though any low-privilege account is sufficient to exploit this vulnerability.

  • Victim interactionNot required

    No victim action such as clicking a link or opening a file is needed; the attacker can exploit this entirely on their own.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.

Blast Radius

  • A successful attacker reads confidential data stored within the Dynamics 365 instance, including business records, user data, and application configuration.
  • The attacker modifies or deletes persisted records and application data within the Dynamics 365 database.
  • The attacker disrupts or crashes the Dynamics 365 service, causing an outage for all users of the on-premises deployment.
  • Starting from a low-privilege account, the attacker gains elevated control equivalent to a higher-privileged role within the application.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-40371 is active across all customer environments, matching images against the affected version range (Dynamics 365 on-premises 9.1 prior to 9.1.0045.0011) within minutes of the advisory being ingested. For customers who opt into auto-remediation, HarborGuard will trigger a rebuild at the patched version 9.1.0045.0011, execute a regression run against the rebuilt image, and open a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image and associated diff are staged and routed to the designated approver inbox for review. Customers not yet on the fix version are encouraged to prioritize this update given the low attack complexity and network-reachable, authenticated (low-privilege) exploit path.

See how HarborGuard automates this

Fix available

9.1.0045.0011
Patch commits
Affected packages
  • Microsoft / Microsoft Dynamics 365 (on-premises) version 9.1
    < 9.1.0045.0011 (from 9.0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
References