Skip to main content

Microsoft Exchange Online CVE-2026-48582

| EUVDEUVD-2026-38090 CRITICAL
Missing Authorization (CWE-862)
2026-06-19 secure@microsoft.com GHSA-j97v-rpjv-q4wf
9.6
CVSS 3.1 · Vendor: microsoft
Temporal: 8.3
Share

Severity by source

Vendor (microsoft) PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
CIRCL (temporal)
8.3 HIGH
cvss
vuln.today AI
9.6 CRITICAL

Network-reachable SaaS endpoint (AV:N), no special conditions (AC:L), requires any authenticated tenant user (PR:L), no victim interaction (UI:N), missing authz crosses tenant/role boundary (S:C) with high C/I and no availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Primary rating from Vendor (microsoft).

CVSS VectorVendor: microsoft

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 19, 2026 - 21:40 vuln.today
CVE Published
Jun 19, 2026 - 21:17 nvd
CRITICAL 9.6

DescriptionCVE.org

Missing authorization in Microsoft Exchange Online allows an authorized attacker to elevate privileges over a network.

AnalysisAI

Privilege escalation in Microsoft Exchange Online allows an authenticated remote attacker to elevate privileges across a tenant or organizational boundary due to missing authorization checks. The flaw carries a CVSS 3.1 score of 9.6 with scope change, indicating impact beyond the initially authorized security context, though no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged Exchange Online credentials
Delivery
Authenticate to Exchange Online endpoint
Exploit
Send crafted request bypassing authorization check
Execution
Invoke privileged operation across scope boundary
Impact
Access or modify protected mailbox or tenant resources

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold a valid authenticated identity in Microsoft Exchange Online at a low privilege level (CVSS PR:L), such as a standard mailbox user account in any tenant, and network reachability to the Exchange Online service endpoints over the internet (AV:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N) describes a network-reachable, low-complexity flaw requiring only low privileges (any authenticated mailbox or tenant user) with no user interaction, and Scope:Changed indicating the attacker can affect resources beyond their own authorization scope - a strong signal of cross-tenant or cross-role impact in a SaaS context. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained or registered any low-privileged Exchange Online user identity - for example through credential phishing of a single mailbox user - authenticates to the service and issues a crafted management or data-plane request that, due to the missing authorization check, is executed as if the caller held a higher role. The scope-changed nature of the CVSS vector implies the attacker can then read or modify resources belonging to other users or other tenants, enabling mailbox content disclosure or administrative role manipulation without ever needing admin credentials.
Remediation Patch available per vendor advisory: because Exchange Online is a Microsoft-managed cloud service, the fix is deployed by Microsoft to the service backend and does not require customer-side patching - administrators should review https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-48582 to confirm the service-side mitigation has reached their tenant and whether any configuration action is required. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Enable comprehensive audit logging for privilege escalation and cross-tenant resource access attempts; brief incident response team on exposure risks. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-48582 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy