Microsoft — CVE-2026-35435 Azure AI Foundry Agent Privilege Escalation
- Microsoft disclosed CVE-2026-35435 on May 7, 2026 — a CVSS 8.6 (Important) vulnerability in Azure AI Foundry and M365 Published Agents runtime.
- The flaw allows remote privilege escalation through forged authorization tokens that bypass access control validation.
- The AI agent runtime is the engine that connects AI agents to Microsoft 365 services — Outlook, Teams, SharePoint, OneDrive, and Excel all pass through it.
- Microsoft rated exploitability as "probable" — the highest confidence level before confirmed active exploitation.
- A successful attack grants access to emails, Teams conversations, SharePoint documents, and OneDrive files through the compromised agent's identity — no phishing or credential theft required.
- The patch is server-side only; no client update is needed, but tokens forged before patching may remain valid.
- Gartner projects 73% of enterprises will deploy an AI agent in production by end of 2026, making agent-runtime vulnerabilities a systemic risk.
Why it matters
- Agent runtimes are a new trust boundary — a single misconfigured or vulnerable agent can expose an entire organization's data surface.
- The "forged token" attack vector bypasses traditional identity controls entirely; attackers don't need stolen credentials, just a broken validation logic.
- This is the second M365 agent CVE this week (following Copirate 365), confirming that the M365 agent ecosystem is under active security scrutiny.
- Server-side patches don't eliminate persistent access — attackers who already forged tokens may retain entry.
What to do
- Inventory all AI agents deployed in Azure AI Foundry and M365 — disable non-critical agents immediately.
- Review and tighten RBAC permissions for every agent; apply least-privilege access.
- Enable verbose logging to detect anomalous token usage patterns.
- Configure Azure Private Link to isolate agent-to-service traffic.
- Revoke and rotate tokens for any agents created before May 7, 2026.