{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33103", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2026-03-17T20:15:23.719Z", "datePublished": "2026-04-14T16:58:41.818Z", "dateUpdated": "2026-05-12T17:39:40.457Z"}, "containers": {"cna": {"title": "Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability", "datePublic": "2026-04-14T14:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:dynamics_365:*:*:*:*:on-premises:*:*:*", "versionStartIncluding": "9.0.0", "versionEndExcluding": "9.1.0044.0015"}]}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft Dynamics 365 (on-premises) version 9.0", "versions": [{"version": "9.0.0", "lessThan": "9.1.0044.0015", "versionType": "custom", "status": "affected"}]}], "descriptions": [{"value": "Improper access control in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to disclose information locally.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-284: Improper Access Control", "lang": "en-US", "type": "CWE", "cweId": "CWE-284"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-05-12T17:39:40.457Z"}, "references": [{"name": "Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33103"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "MEDIUM", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T19:22:09.783447Z", "id": "CVE-2026-33103", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T19:22:18.451Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33103", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T19:22:09.783447Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T19:22:13.512Z"}}], "cna": {"title": "Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft Dynamics 365 (on-premises) version 9.0", "versions": [{"status": "affected", "version": "9.0.0", "lessThan": "9.1.0044.0015", "versionType": "custom"}]}], "datePublic": "2026-04-14T14:00:00.000Z", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33103", "name": "Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability", "tags": ["vendor-advisory", "patch"]}], "descriptions": [{"lang": "en-US", "value": "Improper access control in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to disclose information locally."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:dynamics_365:*:*:*:*:on-premises:*:*:*", "vulnerable": true, "versionEndExcluding": "9.1.0044.0015", "versionStartIncluding": "9.0.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-05-12T17:39:40.457Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33103", "state": "PUBLISHED", "dateUpdated": "2026-05-12T17:39:40.457Z", "dateReserved": "2026-03-17T20:15:23.719Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2026-04-14T16:58:41.818Z", "assignerShortName": "microsoft"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:dynamics_365:*:*:*:*:on-premises:*:*:*", "matchCriteriaId": "CB8564B1-332E-4880-916B-7064D5DF8DEB", "versionEndExcluding": "9.1.44.15", "versionStartIncluding": "9.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper access control in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to disclose information locally."}], "id": "CVE-2026-33103", "lastModified": "2026-04-28T12:15:28.280", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "secure@microsoft.com", "type": "Primary"}]}, "published": "2026-04-14T18:17:33.000", "references": [{"source": "secure@microsoft.com", "tags": ["Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33103"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "secure@microsoft.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[9.0.0,9.1.0044.0015)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Microsoft Dynamics 365 (on-premises) version 9.0", "source": "cna", "vendor": "Microsoft"}, "product": "dynamics_365", "vendor": "microsoft"}], "analysis": {"en": {"generated_at": "2026-04-14T19:41:24.148573+00:00", "value": {"mitigation_remediation": ["Apply the Microsoft Security Update for CVE-2026-33103 from the Microsoft Security Response Center.", "Verify that the update is installed and that the affected component is no longer present.", "Review and tighten local access controls to ensure only necessary users have privileges to view sensitive data."], "summary": {"action": "Apply Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "Vulnerable systems include Microsoft Dynamics 365 (on\u2011premises) version 9.0. The attack is limited to installations that run this version and do not have the latest security updates applied.", "description_and_impact": "The vulnerability arises from improper access control in Microsoft Dynamics 365 on\u2011premises. An attacker who has authorized access can read sensitive data that should be protected, exposing confidential information. This weakness is classified as a lack of proper authorization checks.", "risk_and_exploitability": "The CVSS score of 5.5 indicates a medium severity. The exploit requires that the attacker already possesses legitimate local credentials and that no additional conditions are needed. Because the attack vector is local and the vulnerability is not listed in the KEV catalog, the likelihood of widespread exploitation is moderate but still warrants timely remediation. Applying the vendor\u2019s security update is the recommended approach."}}}}, "created": "2026-04-15T14:31:56.912188+00:00", "updated": "2026-04-15T14:41:09.786026+00:00", "vendors": ["microsoft", "microsoft$PRODUCT$dynamics_365"]}