{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32210", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2026-03-11T01:49:58.659Z", "datePublished": "2026-04-23T21:35:47.638Z", "dateUpdated": "2026-05-12T17:37:45.490Z"}, "containers": {"cna": {"title": "Microsoft Dynamics 365 (online) Spoofing Vulnerability", "datePublic": "2026-04-23T14:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:dynamics_365_online:*:*:*:*:*:*:*:*", "versionStartIncluding": "-"}]}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft Dynamics 365 (online)", "versions": [{"version": "-", "status": "affected"}]}], "descriptions": [{"value": "Server-side request forgery (ssrf) in Microsoft Dynamics 365 (Online) allows an unauthorized attacker to perform spoofing over a network.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-918: Server-Side Request Forgery (SSRF)", "lang": "en-US", "type": "CWE", "cweId": "CWE-918"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-05-12T17:37:45.490Z"}, "references": [{"name": "Microsoft Dynamics 365 (online) Spoofing Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32210"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "CRITICAL", "baseScore": 9.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N/E:U/RL:O/RC:C"}}], "tags": ["exclusively-hosted-service"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-24T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-32210"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-25T03:55:52.352Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32210", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-24T13:36:09.940065Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T13:36:14.408Z"}}], "cna": {"tags": ["exclusively-hosted-service"], "title": "Microsoft Dynamics 365 (online) Spoofing Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 9.3, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N/E:U/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft Dynamics 365 (online)", "versions": [{"status": "affected", "version": "-"}]}], "datePublic": "2026-04-23T14:00:00.000Z", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32210", "name": "Microsoft Dynamics 365 (online) Spoofing Vulnerability", "tags": ["vendor-advisory", "patch"]}], "descriptions": [{"lang": "en-US", "value": "Server-side request forgery (ssrf) in Microsoft Dynamics 365 (Online) allows an unauthorized attacker to perform spoofing over a network."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:dynamics_365_online:*:*:*:*:*:*:*:*", "vulnerable": true, "versionStartIncluding": "-"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-05-12T17:37:45.490Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32210", "state": "PUBLISHED", "dateUpdated": "2026-05-12T17:37:45.490Z", "dateReserved": "2026-03-11T01:49:58.659Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2026-04-23T21:35:47.638Z", "assignerShortName": "microsoft"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:dynamics_365:-:*:*:*:online:*:*:*", "matchCriteriaId": "0EED07FB-DDC6-4510-A321-834E7D4BB271", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "secure@microsoft.com", "tags": ["exclusively-hosted-service"]}], "descriptions": [{"lang": "en", "value": "Server-side request forgery (ssrf) in Microsoft Dynamics 365 (Online) allows an unauthorized attacker to perform spoofing over a network."}], "id": "CVE-2026-32210", "lastModified": "2026-05-05T14:10:29.540", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.8, "source": "secure@microsoft.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-23T22:16:35.260", "references": [{"source": "secure@microsoft.com", "tags": ["Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32210"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "secure@microsoft.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "inferred", "scores": [{"score": 100.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Microsoft Dynamics 365 (online)", "source": "cna", "vendor": "Microsoft"}, "product": "dynamics_365_online", "vendor": "microsoft"}], "analysis": {"en": {"generated_at": "2026-04-28T07:24:00.941378+00:00", "value": {"mitigation_remediation": ["Apply the latest official security update for Microsoft Dynamics 365 online that addresses the SSRF flaw.", "Restrict outbound traffic from the Dynamics 365 environment to only the endpoints that are required for normal operation, rejecting all other destinations.", "Configure input validation or URL filtering on the Dynamics 365 service to prevent user\u2011supplied URLs from being used in server\u2011initiated requests."], "summary": {"action": "Immediate Patch", "impact": "Server\u2011Side Request Forgery allowing unauthorized network spoofing"}, "threat_synthesis": {"affected_systems": "Microsoft Dynamics 365 (online). All currently deployed instances of the online service are affected; specific version information is not provided, so the issue applies to the entire product family.", "description_and_impact": "A server\u2011side request forgery flaw in Microsoft Dynamics 365 online lets an attacker craft requests that the server sends to arbitrary network resources.\nThis vulnerability is identified as CWE\u2011918 and carries a CVSS score of 9.3, indicating a high\u2011severity security risk.\nAn attacker who can trigger the flaw can potentially probe internal services, access sensitive data, or perform other unauthorized network actions.", "risk_and_exploitability": "The EPSS score of < 1% suggests that active exploitation is currently rare, but the high CVSS score and the fact that the flaw is not listed in the KEV catalog mean that it remains a significant threat.\nThe vulnerability can be leveraged over the network via crafted HTTP requests to the Dynamics 365 service, a scenario that requires no privileged configuration. Because the exploit is known but low\u2011probability, organizations should not overlook it, especially given the potential for internal network reach."}}}}, "created": "2026-04-27T21:30:13.616531+00:00", "updated": "2026-04-28T07:30:26.330181+00:00", "vendors": ["microsoft", "microsoft$PRODUCT$dynamics_365_online"]}