Azure AI Foundry M365 Flaw Allows Network Privilege Escalation

/HIGH /CVSS 8.6/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityimproper-access-controlcwe-284
Azure AI Foundry M365 Flaw Allows Network Privilege Escalation

The National Vulnerability Database has disclosed CVE-2026-35435, a high-severity improper access control vulnerability in Azure AI Foundry M365 published agents. This flaw, with a CVSS score of 8.6, allows an unauthenticated attacker to elevate privileges over the network, posing a significant risk to affected environments.

The core issue lies in inadequate access controls (CWE-284), enabling unauthorized network-based privilege escalation. While specific affected products beyond “Azure AI Foundry M365 published agents” are not detailed, the implication is that any organization utilizing these agents within their Microsoft 365 ecosystem is potentially exposed. The attacker’s calculus here is straightforward: exploit an easily accessible network vector to gain higher privileges, laying the groundwork for further compromise or data exfiltration without needing prior authentication.

For defenders, this is a critical alert. A network-exploitable privilege escalation vulnerability, especially one rated high and requiring no user interaction, is a prime target for adversaries. Organizations leveraging Azure AI Foundry M365 agents must prioritize identifying and patching this vulnerability. Leaving it unaddressed is essentially leaving a front door unlocked with a clear path to administrative access within your M365 tenant.

What This Means For You

  • If your organization deploys Azure AI Foundry M365 published agents, you need to identify all instances and apply patches or mitigations for CVE-2026-35435 immediately. Audit your Azure AD and M365 logs for any unusual privilege changes or access attempts originating from network-facing AI Foundry components.

Related ATT&CK Techniques

T1068 Exploitation for Privilege Escalation Privilege Escalation T1190 Exploit Public-Facing Application Initial Access

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-35435 - Azure AI Foundry M365 Unauthorized Network Privilege Escalation

Sigma YAML — free preview 
title: CVE-2026-35435 - Azure AI Foundry M365 Unauthorized Network Privilege Escalation
id: scw-2026-05-07-ai-1
status: experimental
level: critical
description: |
  This rule detects attempts to exploit CVE-2026-35435 by identifying specific API calls to Azure AI Foundry M365 agents that are indicative of privilege escalation attempts over the network. The presence of '/api/agents/' in the URI, a POST method, a successful status code (200), and a query parameter suggesting privilege escalation ('privilege_escalation=true') are strong indicators of this vulnerability being exploited.
author: SCW Feed Engine (AI-generated)
date: 2026-05-07
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-35435/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/api/agents/'
      cs-method:
          - 'POST'
      sc-status:
          - '200'
      cs-uri-query|contains:
          - 'privilege_escalation=true'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-35435 Privilege Escalation Azure AI Foundry M365 published agents
CVE-2026-35435 Auth Bypass Improper access control

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 08, 2026 at 01:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate

CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILL_CLIENT admin command. All users with access to the administration console...

vulnerabilityCVEmedium-severitycwe-862
/SCW Vulnerability Desk /MEDIUM /4.3 /⚑ 2 IOCs /⚙ 2 Sigma

CVE-2026-6666 — A possible null pointer reference in PgBouncer before

CVE-2026-6666 — A possible null pointer reference in PgBouncer before 1.25.2 could lead to a crash, if a server sends an error response without SQLSTATE...

vulnerabilityCVEmedium-severitycwe-476
/SCW Vulnerability Desk /MEDIUM /5.9 /⚑ 2 IOCs /⚙ 1 Sigma

PgBouncer SCRAM Vulnerability (CVE-2026-6665) Allows Stack Overflow

CVE-2026-6665 — The SCRAM code in PgBouncer before 1.25.2 did not check the return value of strlcat() correctly when building the contents of the SCRAM...

vulnerabilityCVEhigh-severitycwe-121
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 4 IOCs /⚙ 2 Sigma