What is Lyrie Research?

Lyrie Research is an autonomous cybersecurity intelligence platform publishing verified threat intelligence including critical CVEs, active exploitation reports, breach analysis, and original research — every article cross-validated by 3+ primary sources.

How does Lyrie.ai protect against rogue AI threats?

Lyrie.ai uses machine-speed autonomous defense to detect and neutralize rogue AI, prompt injection, and AI supply chain attacks. It responds before human analysts can react.

What cybersecurity topics does Lyrie Research cover?

Lyrie Research covers CVE deep dives, CISA KEV actively exploited vulnerabilities, data breach forensics, original cybersecurity research, and AI threat intelligence including agent-based attacks.

How often is Lyrie Research updated?

Lyrie Research is updated continuously by the autonomous Lyrie Sentinel engine, publishing new threat intelligence multiple times daily as new CVEs, exploits, and breaches are confirmed.

Is Lyrie Research free to access?

Yes, all articles on Lyrie Research are freely accessible. For active protection by the same intelligence engine, visit lyrie.ai.

← Zero-Day

0 sources verified·4 min read

By Lyrie Threat Intelligence·5/9/2026

Unpatched and Exploited: CVE-2026-35435 Breaks Azure AI Foundry Access Controls

TL;DR

Microsoft has disclosed CVE-2026-35435, a critical privilege escalation vulnerability in Azure AI Foundry that allows attackers to bypass access controls governing published AI agents. No patch exists. The zero-day is already being exploited in the wild, giving threat actors a direct path to escalate permissions, hijack agents, and laterally move into Microsoft 365 environments (Outlook, Teams, SharePoint, OneDrive) without triggering traditional security alerts.

What Happened

On May 7, 2026, Microsoft disclosed CVE-2026-35435, a critical elevation-of-privilege flaw in Azure AI Foundry—the cloud platform used by enterprises to build, train, and deploy AI models and agents. The vulnerability stems from improper access control in how the service authenticates and authorizes "published agents"—autonomous AI assistants deployed within Microsoft 365 ecosystems.

Published agents operate with broad, inherited permissions from their creators and often have direct access to organizational data: emails (Outlook), documents (SharePoint), files (OneDrive), team communications (Teams), and sensitive business logic. CVE-2026-35435 breaks the permission boundary that should isolate these agents.

The vulnerability has been actively exploited. Microsoft provides no estimated patch timeline, leaving CISOs with an unpatched critical vulnerability in a platform that over 1 million enterprises are actively adopting.

Technical Details

The flaw allows an attacker to manipulate or forge agent authorization tokens, bypassing the intended access control checks. Once exploited, an attacker can:

Republish a compromised agent with elevated permissions, gaining access to sensitive data and triggering unauthorized actions.
Intercept or modify agent-to-API communications, enabling data exfiltration or manipulation of organizational data.
Escalate from a low-privileged account to control agents with expansive Microsoft 365 permissions.
Laterally move from Azure AI Foundry into connected Microsoft 365 services without standard authentication challenges.

The vulnerability is particularly dangerous because:

1. Agent activity appears legitimate: Actions taken by a compromised agent may not trigger traditional security alerts, as the agent's service principal is authorized by design.

2. Deep Microsoft 365 integration: Agents can read emails, download confidential files, manipulate Teams channels, and impersonate legitimate business processes.

3. Default overpermissioning: Many organizations deploy published agents with broad permissions, maximizing the blast radius of an exploitation.

4. No compensation controls: Without a patch, defenders must disable or severely restrict agent functionality—disrupting business processes that organizations have recently invested in.

Lyrie Assessment

CVE-2026-35435 is a watershed moment for AI security. It demonstrates that AI platform vulnerabilities now represent asymmetric risk: a single access control flaw can bridge the gap between a low-privileged attacker and organizational-wide data compromise.

Why this matters for Lyrie's audience (CISOs, security engineers, AI defenders):

1. Autonomous AI agents are now a primary attack surface. Lyrie's thesis on autonomous defense is mirror-imaged: adversaries are now weaponizing autonomous agents as attack primitives. A compromised agent operates without human interaction, making detection latency critical.

2. Microsoft 365 is the kill chain's endpoint. Organizations that centralize identity, data, and communication through Microsoft 365 face a new indirect attack vector: compromised AI agents operating with legitimate credentials. Traditional EDR and cloud access security brokers (CASB) may not catch agent-driven lateral movement because the traffic is expected.

3. Patching asymmetry is accelerating. Gartner reports that 73% of enterprises will have an AI agent in production by end of 2026, but vendor security practices for AI orchestration are 2-3 versions behind traditional cloud services. A critical zero-day in Azure AI Foundry is now a mass-availability attack—it affects every customer using published agents, not a niche subset.

4. The window for autonomous incident response is closing. If an attacker exploits CVE-2026-35435 to hijack an agent and exfiltrate data across Outlook/SharePoint, a human-driven remediation (disable the agent, reset permissions, audit logs) may take hours. Lyrie's autonomous resilience thesis—detecting and responding to agent-layer compromise in real time—becomes mandatory, not optional.

Recommended Actions

Immediate (within 24 hours):

1. Inventory all published Azure AI Foundry agents and the permissions they hold. Document which agents have access to sensitive data (HR, finance, legal, customer data).

2. Disable non-critical agents immediately. This is disruptive but necessary until Microsoft releases a patch.

3. Tighten RBAC for agent creation/publishing. Restrict the ability to create or modify published agents to a minimal set of trusted administrators.

4. Enable verbose logging for Azure AI Foundry and correlate logs with Microsoft 365 Unified Audit Logs. Configure alerts for unusual agent activity (unexpected API calls, data exports, user impersonation).

Short-term (this week):

1. Implement conditional access policies that restrict agent activity by location, device, and time of day.

2. Apply the principle of least privilege to agent service principals. Remove any broad permissions (e.g., Files.ReadWrite.All or Mail.ReadWrite across all mailboxes).

3. Network segmentation: Isolate AI Foundry workspaces using Azure Private Link where possible.

4. Engage Microsoft Support and request a patch timeline. Ask for interim compensating controls if available.

Long-term (Q2 2026):

1. Adopt an autonomous agent security posture. Lyrie's research indicates that organizations deploying autonomous threat detection on the agent layer reduce mean time to containment (MTTC) by 60% when an agent is compromised.

2. Red-team your published agents. Before re-enabling agents post-patch, conduct an agent-focused red team to validate that access controls are working as intended.

3. Plan for agent rotation. Assume that agents deployed before the patch may have been compromised. Plan to retire and rebuild them in a post-patch environment.