Microsoft disclosed CVE-2026-35435 on May 7, 2026 — a CVSS 8.6 (Important) vulnerability in Azure AI Foundry and M365 Published Agents runtime.
The flaw allows remote privilege escalation through forged authorization tokens that bypass access control validation.
The AI agent runtime is the engine that connects AI agents to Microsoft 365 services — Outlook, Teams, SharePoint, OneDrive, and Excel all pass through it.
Microsoft rated exploitability as "probable" — the highest confidence level before confirmed active exploitation.
A successful attack grants access to emails, Teams conversations, SharePoint documents, and OneDrive files through the compromised agent's identity — no phishing or credential theft required.
The patch is server-side only; no client update is needed, but tokens forged before patching may remain valid.
Gartner projects 73% of enterprises will deploy an AI agent in production by end of 2026, making agent-runtime vulnerabilities a systemic risk.
Why it matters
Agent runtimes are a new trust boundary — a single misconfigured or vulnerable agent can expose an entire organization's data surface.
The "forged token" attack vector bypasses traditional identity controls entirely; attackers don't need stolen credentials, just a broken validation logic.
This is the second M365 agent CVE this week (following Copirate 365), confirming that the M365 agent ecosystem is under active security scrutiny.
Server-side patches don't eliminate persistent access — attackers who already forged tokens may retain entry.
What to do
Inventory all AI agents deployed in Azure AI Foundry and M365 — disable non-critical agents immediately.
Review and tighten RBAC permissions for every agent; apply least-privilege access.
Enable verbose logging to detect anomalous token usage patterns.
Configure Azure Private Link to isolate agent-to-service traffic.
Revoke and rotate tokens for any agents created before May 7, 2026.