Azure AI Foundry CVE-2026-35435 — Privilege Escalation in M365 Published Agents
What happened
- CVE-2026-35435 (CVSS 8.6, Critical) is an elevation of privilege vulnerability in Azure AI Foundry, specifically affecting M365 published agents.
- The root cause is an improper access control flaw (CWE-284) that allows an unauthorized remote attacker to elevate their privileges over a network.
- This was disclosed as part of Microsoft's May 2026 Patch Tuesday, which addressed 137 vulnerabilities including 13 rated critical.
- The same Patch Tuesday also included two critical Azure Managed Instance for Apache Cassandra RCE flaws (CVE-2026-33109 at CVSS 9.9, CVE-2026-33844 at CVSS 9.0), both proactively remediated by Microsoft in the cloud.
- A Critical CVSS 10 information disclosure flaw in Azure DevOps (CVE-2026-42826) was also patched server-side.
Why it matters
Azure AI Foundry is Microsoft's platform for building, deploying, and managing AI agents and models. Published agents in the M365 ecosystem have access to organizational data — emails, documents, Teams conversations, and connected APIs. A privilege escalation in this layer means an attacker could potentially access sensitive enterprise data or escalate to administrative control over deployed AI agents. This is a direct AI infrastructure vulnerability, not just a general cloud bug.
What to do
- If you run Azure AI Foundry or have M365 published agents deployed, verify the patch has been applied — Microsoft has addressed this on the service side.
- Review the permissions and data access scope of any published agents in your Azure AI Foundry tenant.
- Apply the principle of least privilege to agent tool connections — limit what data sources and APIs your agents can reach.
- Monitor Azure Service Health for additional service-side patches in the coming days.