Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
5DescriptionNVD
Server-side request forgery (ssrf) in Microsoft Exchange Server allows an authorized attacker to disclose information over a network.
AnalysisAI
Server-side request forgery in Microsoft Exchange Server allows an authenticated attacker with low privileges to coerce the Exchange server into making arbitrary outbound requests, resulting in disclosure of sensitive information and potential integrity impact across internal network resources. The CVSS 8.1 score reflects the high confidentiality and integrity impact from a network-reachable, low-complexity attack, though no public exploit identified at time of analysis. The vulnerability is tagged as an Authentication Bypass / SSRF, suggesting the SSRF primitive may be leveraged to bypass network-based authentication boundaries (e.g., reaching internal trusted endpoints).
Technical ContextAI
Microsoft Exchange Server is a widely deployed enterprise messaging platform that exposes numerous HTTP-based services (OWA, ECP, EWS, Autodiscover, MAPI/HTTP) which historically have been frequent SSRF vectors due to Exchange's design where the server itself makes back-end calls on behalf of clients. The CWE-285 (Improper Authorization) classification indicates the root cause is a missing or flawed authorization check on a request-issuing function, allowing a low-privileged user to instruct the server to fetch resources it should not be permitted to reach. SSRF in Exchange is particularly dangerous because Exchange servers often hold elevated Active Directory privileges and reside on trusted network segments, making outbound server-initiated requests effective for reaching internal-only endpoints, cloud metadata services in hybrid deployments, or other Exchange-internal endpoints that trust the originating host.
RemediationAI
Patch availability per vendor advisory is implied by the MSRC reference at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45503 - administrators should consult that page for the exact Security Update (SU) and Cumulative Update (CU) build numbers required and apply them via Windows Update or by downloading the SU package and running it elevated, then verifying the Exchange Setup/Recovery completed and services restarted cleanly. As compensating controls while patching is scheduled, restrict outbound HTTP/HTTPS egress from Exchange servers to only required Microsoft endpoints (which limits SSRF blast radius but may break hybrid/Office 365 connectors if over-tightened), require multi-factor authentication on all mailbox accounts to raise the cost of obtaining the low-privileged credential the attack requires, and consider placing OWA/ECP behind a reverse proxy or VPN to reduce the population of attackers who can reach the vulnerable endpoint. Monitor IIS logs on Exchange for anomalous request patterns to ECP/EWS/Autodiscover endpoints from authenticated users.
More in Exchange Server
View allMicrosoft Exchange Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.1), this vulnerability is remote
Microsoft Exchange Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is rem
Microsoft Exchange Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is rem
<p>A remote code execution vulnerability exists in Microsoft Exchange server due to improper validation of cmdlet argume
Microsoft Exchange Server Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is
Microsoft Exchange Server Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is
A remote code execution vulnerability exists when the Microsoft Malware Protection Engine does not properly scan a speci
Rollup 18 for Microsoft Exchange Server 2010 SP3 and previous versions has an SSRF vulnerability via the username parame
An elevation of privilege vulnerability exists in Microsoft Exchange Server, aka 'Microsoft Exchange Server Elevation of
Microsoft Exchange Server Remote Code Execution Vulnerability. Rated high severity (CVSS 8.0), this vulnerability is low
Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.7 and 8.4 allows
Microsoft Exchange Server Information Disclosure Vulnerability. Rated high severity (CVSS 7.3), this vulnerability is re
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35679
GHSA-p44w-fhq3-v2jv