Weak authentication in Dynamics Business Central allows an authorized attacker to elevate privileges locally.

Metrics

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

Vendors Products
Microsoft
  • Dynamics 365 Business Central
  • Dynamics 365 Business Central 2024
  • Dynamics 365 Business Central 2024 Wave 1
  • Dynamics 365 Business Central 2024 Wave 2
  • Dynamics 365 Business Central 2025
  • Dynamics 365 Business Central 2025 Wave 1
  • Dynamics 365 Business Central 2025 Wave 2
  • Dynamics 365 Business Central 2026

Configuration 1 [-]

OR cpe:2.3:a:microsoft:dynamics_365_business_central:2024:release_wave_2:*:*:*:*:*:*
cpe:2.3:a:microsoft:dynamics_365_business_central:2025:release_wave_1:*:*:*:*:*:*
cpe:2.3:a:microsoft:dynamics_365_business_central:2025:release_wave_2:*:*:*:*:*:*
cpe:2.3:a:microsoft:dynamics_365_business_central:2026:release_wave_1:*:*:*:*:*:*

No data.

References
Link Providers
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40417 cve-icon cve-icon
History

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft dynamics 365 Business Central
CPEs cpe:2.3:a:microsoft:dynamics_365_business_central:2024:release_wave_2:*:*:*:*:*:*
cpe:2.3:a:microsoft:dynamics_365_business_central:2025:release_wave_1:*:*:*:*:*:*
cpe:2.3:a:microsoft:dynamics_365_business_central:2025:release_wave_2:*:*:*:*:*:*
cpe:2.3:a:microsoft:dynamics_365_business_central:2026:release_wave_1:*:*:*:*:*:*
Vendors & Products Microsoft dynamics 365 Business Central

Wed, 13 May 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft dynamics 365 Business Central 2024 Wave 1
Microsoft dynamics 365 Business Central 2024 Wave 2
Microsoft dynamics 365 Business Central 2025 Wave 1
Microsoft dynamics 365 Business Central 2025 Wave 2
Vendors & Products Microsoft dynamics 365 Business Central 2024 Wave 1
Microsoft dynamics 365 Business Central 2024 Wave 2
Microsoft dynamics 365 Business Central 2025 Wave 1
Microsoft dynamics 365 Business Central 2025 Wave 2

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Weak authentication in Dynamics Business Central allows an authorized attacker to elevate privileges locally.
Title Microsoft Dynamics 365 Business Central Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft dynamics 365 Business Central 2024
Microsoft dynamics 365 Business Central 2025
Microsoft dynamics 365 Business Central 2026
Weaknesses CWE-1390
CPEs cpe:2.3:a:microsoft:dynamics_365_business_central_2024:*:release_wave_2:*:*:*:*:*:*
cpe:2.3:a:microsoft:dynamics_365_business_central_2025:*:release_wave_1:*:*:*:*:*:*
cpe:2.3:a:microsoft:dynamics_365_business_central_2025:*:release_wave_2:*:*:*:*:*:*
cpe:2.3:a:microsoft:dynamics_365_business_central_2026:*:release_wave_1:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft dynamics 365 Business Central 2024
Microsoft dynamics 365 Business Central 2025
Microsoft dynamics 365 Business Central 2026
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published: 2026-05-12T16:58:47.393Z

Updated: 2026-06-02T23:16:41.289Z

Reserved: 2026-04-13T00:27:50.798Z

Link: CVE-2026-40417

cve-icon Vulnrichment

Updated: 2026-05-13T10:00:54.242Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T18:17:19.817

Modified: 2026-06-03T01:19:19.580

Link: CVE-2026-40417

cve-icon Redhat

No data.