CVE-2026-47646 is a cross-site scripting (XSS) vulnerability in Microsoft Dynamics 365 Customer Voice that allows an unauthenticated attacker to perform spoofing attacks over a network. The flaw stems from improper handling of user-supplied input during web page generation, meaning malicious content could be injected and rendered in a victim’s browser. Because no authentication is required to exploit this, the potential reach is broad for any organisation using Customer Voice externally.

Security Architect’s Take: Review your Dynamics 365 Customer Voice deployments and ensure Microsoft’s patch is applied promptly; additionally, assess whether any customer-facing survey links or embedded forms could be weaponised to deliver spoofed content to end users, and consider adding Content Security Policy (CSP) headers as a compensating control where supported.

Original advisory: CVE-2026-47646 Dynamics 365 Customer Voice Spoofing Vulnerability

A flaw in Microsoft Dynamics 365 allows an already-authenticated attacker to gain higher privileges than they should have, purely over the network — no physical access required. This means a low-privileged user or compromised account could be leveraged to access sensitive business data or administrative functions within Dynamics 365. Given how widely Dynamics 365 is used for CRM and ERP workflows, the potential business impact is significant.

Security Architect’s Take: Audit current Dynamics 365 role assignments and apply the least-privilege principle immediately — remove any unnecessary elevated roles whilst Microsoft’s patch is applied. Prioritise patching for tenants where Dynamics 365 is integrated with other Azure services or holds sensitive customer and financial data.

Original advisory: CVE-2026-47647 Dynamics 365 Elevation of Privilege Vulnerability

A privilege escalation vulnerability in Microsoft Dynamics 365 on-premises has been assigned CVE-2026-40371, allowing an attacker to gain elevated permissions within the application. Microsoft has corrected its remediation guidance: the fix is contained in Dynamics 365 Server v9.1 Update 1.45 (build 9.1.0045.0011), not the previously stated version 6.2. Organisations that applied the earlier guidance should verify they are running the correct build to ensure they are actually protected.

Security Architect’s Take: Audit your Dynamics 365 on-premises deployments immediately and confirm the installed build is 9.1.0045.0011 or later — do not assume earlier patching attempts were sufficient given the corrected version guidance. If you manage hybrid environments where on-premises Dynamics 365 integrates with Azure services, treat unpatched instances as a potential lateral movement risk and prioritise the update accordingly.

Original advisory: CVE-2026-40371 Microsoft Dynamics 365 (on-premises) Elevation of Privilege Vulnerability