Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from Vendor (microsoft).
CVSS VectorVendor: microsoft
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Exposure of sensitive information to an unauthorized actor in Microsoft Graph allows an authorized attacker to disclose information over a network.
AnalysisAI
Microsoft Graph exposes sensitive data to authenticated network attackers due to improper authorization controls, allowing low-privileged API callers to retrieve information beyond their granted scope. The vulnerability (CVSS 6.5) carries high confidentiality impact (C:H) with no integrity or availability consequence, making it a pure data disclosure risk against Microsoft's unified cloud API surface. No public exploit code has been identified at time of analysis, and Microsoft has released a server-side patch via MSRC advisory CVE-2026-47655.
Technical ContextAI
Microsoft Graph (graph.microsoft.com) is Microsoft's unified REST API gateway providing programmatic access to Microsoft 365 and Azure AD/Entra ID resources - including user profiles, mail, calendars, Teams data, SharePoint files, and organizational directory objects. The affected product per CPE cpe:2.3:a:microsoft:microsoft_graph:*:*:*:*:*:*:*:* spans all versions, consistent with a cloud-hosted service where versioning is controlled server-side. CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) identifies the root cause class as a failure of access control or response filtering - in a REST API context, this typically manifests as broken object-level authorization (BOLA/IDOR), insufficient permission scope enforcement, or API responses returning data fields beyond what the caller's OAuth scope should permit. The Graph API uses OAuth 2.0 delegated and application permissions, meaning the vulnerability likely involves a scope or role boundary that is not correctly enforced before data is returned.
RemediationAI
The primary fix is the vendor-released patch applied by Microsoft to the Graph API service, documented at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47655. Because Microsoft Graph is a cloud-hosted service, no on-premises software update is required; however, organizations should review the MSRC advisory for any required client-side actions. As a compensating control, administrators should audit Microsoft Graph API permissions granted to registered applications in Azure AD/Entra ID via the App Registrations and Enterprise Applications blades, revoking overly broad delegated or application permission scopes (e.g., User.Read.All, Mail.Read.All, Directory.Read.All) in favor of least-privilege alternatives - note that scope reductions may break existing integrations and should be tested in non-production before enforcement. Conditional Access policies restricting Graph API access to managed, compliant devices add a compensating layer. No exact patch version number is applicable given the cloud delivery model; patch availability is confirmed per the MSRC advisory.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34337
GHSA-jp3c-j73w-vfj9