CVE-2026-40371: Microsoft Dynamics 365 (on-premises) Elevation of Privilege Vulnerability

Overview

Severity

High (CVSS 8.8)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Elevation of Privilege

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2026-Jun

Released

2026-06-09

Description

Improper handling of insufficient permissions or privileges in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to elevate privileges over a network.

FAQ

How could an attacker exploit this vulnerability? An attacker who is already signed in to the affected Microsoft Dynamics 365 (On‑Premises) system could send a specially crafted request to the vulnerable scenario‑switching page, which does not properly check permissions. By doing so, the attacker could improperly assign themselves the System Administrator role and gain full administrative control of the organization. What privileges could be gained by an attacker who successfully exploited the vulnerability? An attacker who successfully exploited this vulnerability could gain administrator privileges.

Affected Products (1)

Microsoft Dynamics

• Microsoft Dynamics 365 (on-premises) version 9.1

Security Updates (1)

• Release Notes

Acknowledgments

Kentaro Kawane with <a href="https://gmo-cybersecurity.com/">GMO Cybersecurity by Ierae, Inc.</a>, f7d8c52bec79e42795cf15888b85cbad

Revision History

• 2026-06-09: Information published.