Skip to main content

Teams CVE-2026-21535

HIGH
Improper Access Control (CWE-284)
2026-02-19 secure@microsoft.com
8.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 22:03 vuln.today
CVE Published
Feb 19, 2026 - 23:16 nvd
HIGH 8.2

DescriptionCVE.org

Improper access control in Microsoft Teams allows an unauthorized attacker to disclose information over a network.

AnalysisAI

Microsoft Teams contains an access control vulnerability that enables unauthenticated remote attackers to extract sensitive information without user interaction. The flaw affects Teams deployments and carries a high severity rating, though no patch is currently available. Exploitation requires only network access with no additional prerequisites, making this a significant risk for organizations using the platform.

Technical ContextAI

Classified as CWE-284 (Improper Access Control). Affects Teams. Improper access control in Microsoft Teams allows an unauthorized attacker to disclose information over a network.

RemediationAI

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

More in Teams

View all
CVE-2024-42004 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS. Rated criti

CVE-2024-41145 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in the WebView.app helper app of Microsoft Teams (work or school) 24046.2813.27

CVE-2024-41138 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in the com.microsoft.teams2.modulehost.app helper app of Microsoft Teams (work

CVE-2023-4863 HIGH POC
8.8 Sep 12

Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to

CVE-2020-10146 MEDIUM POC
5.4 Dec 09

The Microsoft Teams online service contains a stored cross-site scripting vulnerability in the displayName parameter tha

CVE-2026-42835 HIGH
8.1 Jun 09

Information disclosure in Microsoft Teams for Android allows an authenticated remote attacker to extract sensitive data

CVE-2023-29330 HIGH
8.8 Aug 08

Microsoft Teams Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely expl

CVE-2023-29328 HIGH
8.8 Aug 08

Microsoft Teams Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely expl

CVE-2020-17091 HIGH
7.8 Nov 11

Microsoft Teams Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentica

CVE-2019-5922 HIGH
7.8 Mar 12

Untrusted search path vulnerability in The installer of Microsoft Teams allows an attacker to gain privileges via a Troj

CVE-2025-53783 HIGH
7.5 Aug 12

Heap-based buffer overflow in Microsoft Teams allows an unauthorized attacker to execute code over a network. Rated high

CVE-2025-49737 HIGH
7.0 Jul 08

Concurrent execution using shared resource with improper synchronization ('race condition') in Microsoft Teams allows an

Share

CVE-2026-21535 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy