Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Improper authorization in Microsoft Teams allows an authorized attacker to disclose information over a network.
AnalysisAI
Authorization bypass in Microsoft Teams enables authenticated attackers to escalate privileges across security boundaries and access sensitive information from other tenants or user contexts. The CVSS score of 9.6 reflects a scope change (S:C), indicating the attacker can impact resources beyond their authorized permissions with high confidentiality and integrity impact. Vendor-released patch available from Microsoft Security Response Center. No public exploit identified at time of analysis, with CVSS temporal metrics indicating unproven exploitability (E:U).
Technical ContextAI
This vulnerability stems from improper authorization (CWE-285), a flaw in access control logic that fails to correctly verify whether an authenticated user has permission to access specific resources or perform certain actions. In Microsoft Teams (CPE 2.3:a:microsoft:microsoft_teams), this manifests as inadequate enforcement of tenant boundaries, channel permissions, or user context separation. Unlike authentication bypass which defeats login controls, improper authorization occurs after successful authentication when the system fails to validate what the authenticated user should be allowed to access. The scope change metric indicates the vulnerability affects resources in a different security scope than the vulnerable component itself, suggesting potential cross-tenant or cross-organization information disclosure scenarios in Teams' multi-tenant architecture.
RemediationAI
Apply the vendor-released patch immediately by updating Microsoft Teams to the latest version through standard Microsoft update channels. For Windows desktop clients, updates typically deploy via Microsoft Store or background auto-update mechanisms; administrators should verify deployment through Microsoft 365 admin center. For enterprise deployments, consult the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33823 for version-specific patch details and deployment guidance. As an interim compensating control until patching completes, organizations handling highly sensitive data could implement stricter conditional access policies requiring multi-factor authentication for all Teams access, restrict guest user access to minimize cross-tenant attack surface, enable advanced audit logging to detect anomalous cross-channel or cross-team data access patterns, and review Teams external access settings to limit federation with untrusted domains-though these controls do not eliminate the underlying authorization flaw and may impact legitimate collaboration workflows.
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28450
GHSA-w6p3-2c62-jm2g