Skip to main content

Microsoft Graph CVE-2026-47655

| EUVDEUVD-2026-34337 MEDIUM
Information Exposure (CWE-200)
2026-06-04 microsoft GHSA-jp3c-j73w-vfj9
6.5
CVSS 3.1 · Vendor: microsoft
Temporal: 5.7
Share

Severity by source

Vendor (microsoft) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
ENISA EUVD
HIGH
qualitative
CIRCL (temporal)
5.7 MEDIUM
cvss

Primary rating from Vendor (microsoft).

CVSS VectorVendor: microsoft

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 04, 2026 - 23:04 vuln.today
CVE Published
Jun 04, 2026 - 22:00 nvd
MEDIUM 6.5

DescriptionCVE.org

Exposure of sensitive information to an unauthorized actor in Microsoft Graph allows an authorized attacker to disclose information over a network.

AnalysisAI

Microsoft Graph exposes sensitive data to authenticated network attackers due to improper authorization controls, allowing low-privileged API callers to retrieve information beyond their granted scope. The vulnerability (CVSS 6.5) carries high confidentiality impact (C:H) with no integrity or availability consequence, making it a pure data disclosure risk against Microsoft's unified cloud API surface. No public exploit code has been identified at time of analysis, and Microsoft has released a server-side patch via MSRC advisory CVE-2026-47655.

Technical ContextAI

Microsoft Graph (graph.microsoft.com) is Microsoft's unified REST API gateway providing programmatic access to Microsoft 365 and Azure AD/Entra ID resources - including user profiles, mail, calendars, Teams data, SharePoint files, and organizational directory objects. The affected product per CPE cpe:2.3:a:microsoft:microsoft_graph:*:*:*:*:*:*:*:* spans all versions, consistent with a cloud-hosted service where versioning is controlled server-side. CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) identifies the root cause class as a failure of access control or response filtering - in a REST API context, this typically manifests as broken object-level authorization (BOLA/IDOR), insufficient permission scope enforcement, or API responses returning data fields beyond what the caller's OAuth scope should permit. The Graph API uses OAuth 2.0 delegated and application permissions, meaning the vulnerability likely involves a scope or role boundary that is not correctly enforced before data is returned.

RemediationAI

The primary fix is the vendor-released patch applied by Microsoft to the Graph API service, documented at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47655. Because Microsoft Graph is a cloud-hosted service, no on-premises software update is required; however, organizations should review the MSRC advisory for any required client-side actions. As a compensating control, administrators should audit Microsoft Graph API permissions granted to registered applications in Azure AD/Entra ID via the App Registrations and Enterprise Applications blades, revoking overly broad delegated or application permission scopes (e.g., User.Read.All, Mail.Read.All, Directory.Read.All) in favor of least-privilege alternatives - note that scope reductions may break existing integrations and should be tested in non-production before enforcement. Conditional Access policies restricting Graph API access to managed, compliant devices add a compensating layer. No exact patch version number is applicable given the cloud delivery model; patch availability is confirmed per the MSRC advisory.

Share

CVE-2026-47655 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy