Microsoft has disclosed a critical elevation-of-privilege vulnerability in Azure AI Foundry, tracked as CVE-2026-35435, which affects Microsoft 365 published agents and currently has no patch. Revealed on May 7, 2026, the flaw stems from improper access control and, according to Microsoft, has already been exploited in the wild.

Azure AI Foundry is Microsoft’s platform for building, training, and deploying AI models and agents. It integrates deeply with Microsoft 365, allowing organizations to create “published agents”—autonomous AI assistants that can perform tasks across the Microsoft ecosystem, from responding to emails to analyzing documents in SharePoint. These agents inherit permissions from their creators and often operate with broad access to organizational data.

CVE-2026-35435 targets the access control mechanisms governing how these published agents authenticate and authorize actions. In a typical scenario, an agent’s permissions should be strictly bounded by its configuration and the identity of its publisher. The vulnerability allows an attacker to bypass these restrictions, escalating their privileges from a low-privileged role to one with extensive control over AI resources and possibly the underlying Microsoft 365 environment.

How the Exploit Works

Improper access control vulnerabilities arise when a system fails to properly enforce permission checks. In this case, an attacker could manipulate agent configurations or exploit a flaw in the authorization protocol used by Azure AI Foundry’s agent runtime. Microsoft has not released full technical details, but similar flaws in cloud services often involve forging authentication tokens, exploiting API misconfigurations, or leveraging insecure defaults.

Once exploited, an attacker could:
- Republish a malicious agent with elevated permissions to access sensitive data or perform unauthorized actions.
- Intercept or modify agent communications, leading to data exfiltration or manipulation.
- Move laterally within the Azure AI Foundry workspace to compromise other AI models or connected services.
- Abuse the agent’s integration with Microsoft 365 to read confidential emails, download files, or impersonate users.

Because the vulnerability has already been exploited, it is classified as a zero-day. The exact nature of in-the-wild attacks remains unknown, but the mere fact of active exploitation underscores the urgency for organizations to act even without an official patch.

The Scope of Impact

Azure AI Foundry is used by enterprises of all sizes to streamline operations with AI. Published agents often have access to sensitive intellectual property, customer data, and internal communications. A privilege escalation in this context is not just a technical misstep—it represents a potential business disaster.

Organizations in regulated industries, such as finance, healthcare, and government, face heightened risk. A compromised agent could violate compliance mandates like GDPR, HIPAA, or SOC 2 by exposing protected data. Moreover, since agents can perform actions on behalf of users, an attacker might trigger financial transactions, delete critical resources, or disrupt AI-driven business processes.

Microsoft 365 integration amplifies the blast radius. An attacker who escalates privileges through an AI Foundry agent could pivot to Outlook, Teams, OneDrive, and SharePoint without triggering traditional security alerts, because the agent’s activity might appear legitimate at first glance.

Microsoft’s Response and Patch Status

At the time of disclosure, no patch is available. Microsoft’s security advisory classifies the vulnerability as “Critical”—its highest severity rating—with a CVSS score likely exceeding 9.0. The company typically releases out-of-band patches for zero-day exploits, but no timeline has been communicated. In the advisory, Microsoft recommends immediate mitigation steps while the engineering team works on a fix.

The lack of a patch leaves defenders in a precarious position. They must balance the risk of continued operation against the disruption of disabling or severely restricting agent functionality. For many businesses, AI agents are now indispensable, so outright removal is not feasible.

Immediate Mitigation Strategies

Without an official fix, organizations must rely on compensating controls to reduce exposure. The following measures can help limit the attack surface:

  • Disable Unnecessary Agents: Review all published agents and decommission any that are not business-critical. Even temporarily pausing non-essential agents can reduce risk.
  • Restrict Agent Publishing: Limit the ability to create or modify published agents to a minimal set of trusted administrators. Use Azure role-based access control (RBAC) to enforce this.
  • Monitor Agent Behavior: Enable detailed logging for Azure AI Foundry and Microsoft 365. Look for anomalies such as agents executing unexpected commands, accessing unusual data sources, or operating outside normal hours.
  • Network Segmentation: Where possible, isolate AI Foundry workspaces from the broader corporate network. Use Azure Private Link or VPNs to limit exposure.
  • Apply Conditional Access Policies: For Microsoft 365, enforce strict conditional access rules to prevent agents from operating from untrusted locations or devices.
  • Harden API Permissions: Audit the permissions granted to agents’ service principals. Ensure they adhere to the principle of least privilege—agents should only have the minimum permissions necessary to function.

These steps are not a substitute for a patch but can significantly lower the probability and impact of an attack.

Historical Context: AI Service Vulnerabilities

CVE-2026-35435 is not an isolated incident. As AI services become more embedded in enterprise workflows, they attract the attention of sophisticated threat actors. Previous vulnerabilities in Azure Cognitive Services, OpenAI’s API integrations, and machine learning pipelines have demonstrated that AI platforms introduce new and complex attack surfaces.

For example, in early 2025, a privilege escalation flaw in Azure Machine Learning allowed attackers to access dataset storage accounts. Later that year, a server-side request forgery (SSRF) bug in Azure AI Studio enabled internal network probing. These incidents highlight a recurring theme: access controls in AI orchestration layers are often less mature than in traditional cloud services.

What sets CVE-2026-35435 apart is its exploitation status and the direct link to Microsoft 365—a platform used by over a million companies worldwide. The integration point between AI foundry services and productivity suites creates a bridge that attackers are eager to cross.

What Organizations Should Do Right Now

Security teams should treat this vulnerability with the highest priority. A step-by-step action plan includes:

  1. Inventory Assets: Catalog all Azure AI Foundry workspaces and the agents published within them. Document their permissions and data access scopes.
  2. Engage Stakeholders: Inform leadership about the risk and potential business impact. Secure approval for emergency mitigation measures.
  3. Implement Mitigations: Apply the compensating controls listed above, starting with disabling non-essential agents and tightening RBAC.
  4. Enhance Detection: Update SIEM rules to alert on suspicious agent activities. Correlate Azure AI Foundry logs with Microsoft 365 Unified Audit Logs.
  5. Prepare for Remediation: Have a deployment plan ready for when the patch is released. Test it in a staging environment first to avoid operational disruptions.

Large enterprises may also consider engaging Microsoft’s Detection and Response Team (DART) or a third-party incident response firm for proactive threat hunting.

The Bigger Picture: AI Security in 2026

This vulnerability surfaces at a time when organizations are accelerating AI adoption. Gartner predicts that by 2027, over 70% of enterprises will use AI agents in production. Yet security governance for these agents lags significantly behind.

Azure AI Foundry is a powerful tool, but its complexity invites misconfigurations. The shared responsibility model is clear: Microsoft secures the infrastructure, but customers must configure services correctly. However, the default settings and the ease with which agents can be published sometimes blur these lines, leading to overly permissive deployments.

CVE-2026-35435 should be a wake-up call for every organization using cloud AI platforms. It emphasizes the need for:
- Rigorous access reviews for AI service principals.
- Automated guardrails that prevent overly permissive agent creation.
- Continuous security testing of AI pipelines, including red team exercises.

Microsoft is likely to respond with not just a patch but also increased security defaults for new AI Foundry deployments. In the long run, expect the Azure AI Foundry team to introduce more granular permission models and tighter integration with Microsoft’s Zero Trust framework.

Community and Press Reaction

The cybersecurity community has reacted swiftly to the disclosure. Initial discussions on forums like Windows Forum and Reddit’s r/sysadmin reveal a mix of frustration and concern. Many administrators expressed dismay at having to disable AI features they recently rolled out. Others questioned why the vulnerability existed in the first place, given the critical nature of access control.

Some security researchers speculated that the flaw might be related to how agents store and refresh OAuth tokens, similar to a known pattern in Azure Logic Apps. However, without official confirmation, these remain hypotheses. What is clear is that the incident has eroded trust in Microsoft’s ability to secure its rapidly evolving AI portfolio.

What’s Next?

Microsoft has not set a patch release date, but its history with critical zero-days suggests an out-of-band update within days. Security teams should monitor the Microsoft Security Response Center (MSRC) for updates and be ready to deploy immediately.

In the meantime, this incident will fuel the ongoing debate about whether AI agents should have such deep integration with productivity suites without stronger isolation boundaries. Regulators may also take note, especially if a breach occurs before patching.

For now, the best defense is proactive defense. Disable, restrict, monitor—and wait for Microsoft to deliver a fix.