Power Platform Custom Code information disclosure

Published Fri, Aug 4th, 2023


A vulnerability in Power Platform could lead to unauthorized access to Custom Code functions used for custom connectors, thereby allowing cross-tenant information disclosure of secrets or other sensitive information if these were embedded in a Custom Code function. The issue occurred as a result of insufficient access control to Azure Function hosts, which are launched as part of the creation and operation of custom connectors in Microsoft’s Power Platform. An attacker who determined the hostname of the Azure Function associated with the custom connector could interact with the function without authentication. Microsoft fixed the issue by requiring Azure Function keys for accessing the Function hosts and their HTTP trigger. An initial fix was deployed (on June 7th, 2023), but customers using affected Custom Code in a "soft deleted state" (part of a data recovery mechanism) remained vulnerable until a later fix was applied (on August 2nd, 2023).

Affected Services

Power Platform


None required

Tracked CVEs

No tracked CVEs


Disclosure Date
Thu, Mar 30th, 2023
Exploitablity Period
Known ITW Exploitation
Detection Methods
Piercing Index Rating
Discovered by
Evan Grant, Tenable