Dependency System.Security.Cryptography.Xml 8.0.2 contains known high-severity vulnerabilities (CVE-2026-26171, CVE-2026-33116)

[sw4rty]

The Microsoft.PowerPlatform.Dataverse.Client NuGet package currently depends on System.Security.Cryptography.Xml version 8.0.2, which is affected by two high-severity vulnerabilities. These are being flagged by Veracode (Software Composition Analysis) in our security scans, causing compliance issues for our projects.

Affected Vulnerabilities:

https://nvd.nist.gov/vuln/detail/CVE-2026-26171
https://nvd.nist.gov/vuln/detail/CVE-2026-33116

Details

Vulnerable dependency: System.Security.Cryptography.Xml >= 8.0.0, <= 8.0.2
Fixed version: System.Security.Cryptography.Xml 8.0.3
Scan tool: Veracode SCA

The vulnerability in EncryptedXml allows an attacker to exploit uncontrolled resource consumption to perform a Denial of Service attack. Microsoft has already released a patched version (8.0.3) for .NET 8.

Impact

Since System.Security.Cryptography.Xml is a transitive dependency pulled in by the Dataverse Service Client, we are unable to resolve this vulnerability ourselves without a package update on your side. Our Veracode scans are currently failing due to this finding, which blocks our release pipeline.

Request

• Update the dependency on System.Security.Cryptography.Xml to version 8.0.3 (or later) and publish an updated NuGet package?
• Provide a timeline for when this fix will be included in a new release?

Thank you for your attention to this matter.