Skip to main content

Microsoft Teams CVE-2026-33823

| EUVDEUVD-2026-28450 CRITICAL
Improper Authorization (CWE-285)
2026-05-07 microsoft GHSA-w6p3-2c62-jm2g
9.6
CVSS 3.1 · NVD
Temporal: 8.3
Share

Severity by source

NVD PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
ENISA EUVD
HIGH
qualitative
CIRCL (temporal)
8.3 HIGH
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 07, 2026 - 22:02 vuln.today
CVE Published
May 07, 2026 - 20:58 nvd
CRITICAL 9.6

DescriptionCVE.org

Improper authorization in Microsoft Teams allows an authorized attacker to disclose information over a network.

AnalysisAI

Authorization bypass in Microsoft Teams enables authenticated attackers to escalate privileges across security boundaries and access sensitive information from other tenants or user contexts. The CVSS score of 9.6 reflects a scope change (S:C), indicating the attacker can impact resources beyond their authorized permissions with high confidentiality and integrity impact. Vendor-released patch available from Microsoft Security Response Center. No public exploit identified at time of analysis, with CVSS temporal metrics indicating unproven exploitability (E:U).

Technical ContextAI

This vulnerability stems from improper authorization (CWE-285), a flaw in access control logic that fails to correctly verify whether an authenticated user has permission to access specific resources or perform certain actions. In Microsoft Teams (CPE 2.3:a:microsoft:microsoft_teams), this manifests as inadequate enforcement of tenant boundaries, channel permissions, or user context separation. Unlike authentication bypass which defeats login controls, improper authorization occurs after successful authentication when the system fails to validate what the authenticated user should be allowed to access. The scope change metric indicates the vulnerability affects resources in a different security scope than the vulnerable component itself, suggesting potential cross-tenant or cross-organization information disclosure scenarios in Teams' multi-tenant architecture.

RemediationAI

Apply the vendor-released patch immediately by updating Microsoft Teams to the latest version through standard Microsoft update channels. For Windows desktop clients, updates typically deploy via Microsoft Store or background auto-update mechanisms; administrators should verify deployment through Microsoft 365 admin center. For enterprise deployments, consult the Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33823 for version-specific patch details and deployment guidance. As an interim compensating control until patching completes, organizations handling highly sensitive data could implement stricter conditional access policies requiring multi-factor authentication for all Teams access, restrict guest user access to minimize cross-tenant attack surface, enable advanced audit logging to detect anomalous cross-channel or cross-team data access patterns, and review Teams external access settings to limit federation with untrusted domains-though these controls do not eliminate the underlying authorization flaw and may impact legitimate collaboration workflows.

Share

CVE-2026-33823 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy