Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Network-reachable SaaS endpoint (AV:N), no special conditions (AC:L), requires any authenticated tenant user (PR:L), no victim interaction (UI:N), missing authz crosses tenant/role boundary (S:C) with high C/I and no availability impact.
Primary rating from Vendor (microsoft).
CVSS VectorVendor: microsoft
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Missing authorization in Microsoft Exchange Online allows an authorized attacker to elevate privileges over a network.
AnalysisAI
Privilege escalation in Microsoft Exchange Online allows an authenticated remote attacker to elevate privileges across a tenant or organizational boundary due to missing authorization checks. The flaw carries a CVSS 3.1 score of 9.6 with scope change, indicating impact beyond the initially authorized security context, though no public exploit identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold a valid authenticated identity in Microsoft Exchange Online at a low privilege level (CVSS PR:L), such as a standard mailbox user account in any tenant, and network reachability to the Exchange Online service endpoints over the internet (AV:N). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N) describes a network-reachable, low-complexity flaw requiring only low privileges (any authenticated mailbox or tenant user) with no user interaction, and Scope:Changed indicating the attacker can affect resources beyond their own authorization scope - a strong signal of cross-tenant or cross-role impact in a SaaS context. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained or registered any low-privileged Exchange Online user identity - for example through credential phishing of a single mailbox user - authenticates to the service and issues a crafted management or data-plane request that, due to the missing authorization check, is executed as if the caller held a higher role. The scope-changed nature of the CVSS vector implies the attacker can then read or modify resources belonging to other users or other tenants, enabling mailbox content disclosure or administrative role manipulation without ever needing admin credentials. |
| Remediation | Patch available per vendor advisory: because Exchange Online is a Microsoft-managed cloud service, the fix is deployed by Microsoft to the service backend and does not require customer-side patching - administrators should review https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-48582 to confirm the service-side mitigation has reached their tenant and whether any configuration action is required. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Enable comprehensive audit logging for privilege escalation and cross-tenant resource access attempts; brief incident response team on exposure risks. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38090
GHSA-j97v-rpjv-q4wf