CVE-2025-29826
published 2025-05-13CVE-2025-29826: Improper handling of insufficient permissions or privileges in Microsoft Dataverse allows an authorized attacker to elevate privileges over a network.
PriorityP355high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.76%
50.4th percentile
Improper handling of insufficient permissions or privileges in Microsoft Dataverse allows an authorized attacker to elevate privileges over a network.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | dataverse | < 3.4.0.1406 | 3.4.0.1406 |
| microsoft | microsoft_dataverse | >= 10.0 < 3.4.0.1406 | 3.4.0.1406 |
| msrc | microsoft_dataverse | — | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vendor_msrc7.3HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
Microsoft Dataverse Elevation of Privilege Vulnerability
vendor_msrc·2025-05-13·CVSS 7.3
CVE-2025-29826 [HIGH] CWE-280 Microsoft Dataverse Elevation of Privilege Vulnerability
Microsoft Dataverse Elevation of Privilege Vulnerability
Description: Improper handling of insufficient permissions or privileges in Microsoft Dataverse allows an authorized attacker to elevate privileges over a network.
FAQ: What actions do I need to take to be protected from this vulnerability
Customers who do not wish to wait for the PDU can update Dataverse by doing the following:
Open Resource Scheduling Optimization and select Upgrade to new version.
Select version 1406 from the Select target version list.
Microsoft Dataverse: Microsoft Dataverse
Microsoft: Microsoft
Customer Action Required: Yes
Impact: Elevation of Privilege
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation Unlikely
Remediation: Release Notes
Reference: https://learn
GHSA
GHSA-w2cm-pc9j-3m28: Improper handling of insufficient permissions or privileges in Microsoft Dataverse allows an authorized attacker to elevate privileges over a network
ghsa_unreviewed·2025-05-13
CVE-2025-29826 [HIGH] CWE-280 GHSA-w2cm-pc9j-3m28: Improper handling of insufficient permissions or privileges in Microsoft Dataverse allows an authorized attacker to elevate privileges over a network
Improper handling of insufficient permissions or privileges in Microsoft Dataverse allows an authorized attacker to elevate privileges over a network.
No detection rules found.
No public exploits indexed.
2025-05-13
Published