Skip to main content

Microsoft Exchange Server CVE-2026-45502

| EUVDEUVD-2026-35678 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-09 secure@microsoft.com GHSA-pg2w-h945-7pf7
5.0
CVSS 3.1 · NVD
Temporal: 4.4
Share

Severity by source

NVD PRIMARY
5.0 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
ENISA EUVD
HIGH
qualitative
CIRCL (temporal)
4.4 MEDIUM
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 09, 2026 - 19:41 vuln.today
CVE Published
Jun 09, 2026 - 17:17 nvd
MEDIUM 5.0

DescriptionNVD

Server-side request forgery (ssrf) in Microsoft Exchange Server allows an authorized attacker to disclose information over a network.

AnalysisAI

Server-side request forgery in Microsoft Exchange Server enables an authenticated low-privilege attacker to coerce the server into issuing outbound network requests to internal or external resources, resulting in information disclosure. Affected deployments span Exchange Server 2016 CU23, Exchange Server 2019 CU14 and CU15, and the current Subscription Edition - all at versions below their respective patched builds. No public exploit code exists and the vulnerability is not listed in the CISA KEV catalog at time of analysis, but the Changed scope in the CVSS vector indicates the server can reach resources beyond its own trust boundary, amplifying reconnaissance value for an already-authenticated adversary.

Technical ContextAI

CWE-918 (Server-Side Request Forgery) describes a class of vulnerability where an application accepts user-controlled input and uses it to construct and issue a server-side HTTP or network request without adequate validation. In Exchange Server, the attacker - holding at minimum a low-privilege mail account - can influence the destination or parameters of an internal request. The CVSS vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N is particularly informative: the Changed scope (S:C) confirms the vulnerability crosses a security boundary, meaning Exchange can be used as a proxy to reach internal services, cloud metadata endpoints (e.g., IMDS), or segmented network hosts that would otherwise be unreachable from the attacker's position. Affected CPE targets span Exchange 15.01.x (Exchange 2016) and 15.02.x (Exchange 2019 and Subscription Edition) build families as enumerated in ENISA EUVD-2026-35678.

RemediationAI

The vendor-released patch is available via Microsoft's Security Response Center. Administrators should update Exchange Server 2016 CU23 to build 15.01.2507.069 or later, Exchange Server 2019 CU14 to build 15.02.1544.041 or later, Exchange Server 2019 CU15 to build 15.02.1748.046 or later, and Exchange Server Subscription Edition to build 15.02.2562.043 or later. Patch guidance and downloads are detailed at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45502. Where immediate patching is not feasible, the SSRF attack surface can be partially reduced by restricting outbound HTTP/HTTPS connectivity from Exchange servers to only required destinations via egress firewall rules - this limits the value of any internal probe attempts but does not eliminate the vulnerability. Blocking access from untrusted low-privilege accounts to Exchange web-facing endpoints (e.g., via network segmentation or conditional access policies) would further constrain attacker reach, at the cost of potentially disrupting legitimate Outlook Web Access or EWS usage patterns. Patching remains the only definitive remediation.

CVE-2020-17132 CRITICAL POC
9.1 Dec 10

Microsoft Exchange Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.1), this vulnerability is remote

CVE-2022-23277 HIGH POC
8.8 Mar 09

Microsoft Exchange Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is rem

CVE-2021-42321 HIGH POC
8.8 Nov 10

Microsoft Exchange Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is rem

CVE-2020-16875 HIGH POC
8.4 Sep 11

<p>A remote code execution vulnerability exists in Microsoft Exchange server due to improper validation of cmdlet argume

CVE-2021-28481 CRITICAL POC
9.8 Apr 13

Microsoft Exchange Server Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is

CVE-2021-28480 CRITICAL POC
9.8 Apr 13

Microsoft Exchange Server Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is

CVE-2018-0986 HIGH POC
8.8 Apr 04

A remote code execution vulnerability exists when the Microsoft Malware Protection Engine does not properly scan a speci

CVE-2018-16793 HIGH POC
8.6 Sep 21

Rollup 18 for Microsoft Exchange Server 2010 SP3 and previous versions has an SSRF vulnerability via the username parame

CVE-2019-0724 HIGH POC
8.1 Mar 05

An elevation of privilege vulnerability exists in Microsoft Exchange Server, aka 'Microsoft Exchange Server Elevation of

CVE-2023-36745 HIGH POC
8.0 Sep 12

Microsoft Exchange Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.0), this vulnerability is low

CVE-2013-0418 MEDIUM
6.8 Jan 17

Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.7 and 8.4 allows

CVE-2021-33766 HIGH POC
7.3 Jul 14

Microsoft Exchange Server Information Disclosure Vulnerability. Rated high severity (CVSS 7.3), this vulnerability is re

Share

CVE-2026-45502 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy