CVE-2026-32210

Critical

Published: 23 April 2026

Published

23 April 2026

Modified

05 May 2026

KEV Added

—

Patch

—

CVSS Score 9.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

EPSS Score 0.0005 16.4th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32210 is a critical-severity SSRF (CWE-918) vulnerability in Microsoft Dynamics 365. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly validates and sanitizes user inputs that trigger server-side requests, preventing SSRF exploitation in Microsoft Dynamics 365.

AC-4 Information Flow Enforcement good match

prevent

Enforces flow control policies to block unauthorized server requests to internal or external resources targeted by SSRF attacks.

SC-7 Boundary Protection good match

prevent

Monitors and controls outbound communications at boundaries, mitigating SSRF by restricting access to spoofed network destinations.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

SSRF vulnerability in publicly accessible Microsoft Dynamics 365 (Online) directly enables initial access by exploiting a weakness in an Internet-facing application over the network (AV:N), matching T1190. User interaction requirement aligns with common SSRF delivery but does not change the core mapping.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Server-side request forgery (ssrf) in Microsoft Dynamics 365 (Online) allows an unauthorized attacker to perform spoofing over a network.

Deeper analysisAI

CVE-2026-32210 is a server-side request forgery (SSRF) vulnerability, mapped to CWE-918, affecting Microsoft Dynamics 365 (Online). Published on 2026-04-23T22:16:35.260, it carries a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N), indicating critical severity due to network accessibility, low complexity, no privileges required, and high impacts on confidentiality and integrity with a changed scope.

An unauthorized attacker can exploit this vulnerability over the network by tricking a user into some interaction that triggers the SSRF, enabling spoofing attacks. Successful exploitation allows the attacker to achieve high confidentiality and integrity impacts across the changed scope, without affecting availability.

Mitigation details are available in the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32210.

Details

CWE(s): CWE-918

Affected Products

microsoft

dynamics 365

all versions

CVEs Like This One

CVE-2025-62210Same product: Microsoft Dynamics 365

CVE-2025-62211Same product: Microsoft Dynamics 365

CVE-2025-21385Same vendor: Microsoft

CVE-2026-35431Same vendor: Microsoft

CVE-2026-26139Same vendor: Microsoft

CVE-2026-26120Same vendor: Microsoft

CVE-2025-21177Same vendor: Microsoft

CVE-2026-32169Same vendor: Microsoft

CVE-2025-59503Same vendor: Microsoft

CVE-2026-26138Same vendor: Microsoft

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32210
Vendor Advisory · secure@microsoft.com