Summary
| Parameter | Value |
|---|---|
| CVE ID | CVE-2026-32210 |
| Alert Source | GitHub Advisory - Critical Vulnerability |
| CVE Publication Year | 2026 |
| Date Published | 2026-04-24 |
| Vendor | Microsoft |
| Product | Dynamics 365 |
| CVSS Score | 9.3 (critical) |
| EPSS Score | No data |
| CISA KEV | No |
| Ransomware | Not confirmed |
Vulnerability Description
Server-side request forgery (SSRF) in Microsoft Dynamics 365 (Online) allows an unauthorized attacker to perform spoofing over a network. By exploiting this issue, an attacker can coerce the Dynamics 365 server into issuing HTTP requests on their behalf to internal resources, impersonating a trusted service component.
Required Actions
Microsoft remediates cloud-service vulnerabilities on the server side, so most tenants do not need to apply a manual update. Review the Microsoft Security Response Center advisory, audit your Dynamics 365 instance for unusual requests to internal endpoints, and verify all third-party integrations.
Who Is Affected?
This vulnerability affects Dynamics 365 by Microsoft. Check whether your organization uses Dynamics 365 (Online) and review audit logs around the disclosure window.
Sources
Need help securing your systems? nFlo team offers vulnerability management and 24/7 SOC services. Contact us.
