Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Improper authorization in Microsoft Exchange Online allows an unauthorized attacker to disclose information over a network.
AnalysisAI
Information disclosure in Microsoft Exchange Online allows remote unauthenticated attackers to access sensitive data due to improper authorization enforcement (CWE-285). The flaw carries a CVSS 9.1 score reflecting network-reachable exploitation without privileges or user interaction, though no public exploit identified at time of analysis. Microsoft has issued a fix through its cloud service, and the CVSS vector indicates high confidentiality and integrity impact despite the description focusing on disclosure.
Technical ContextAI
Microsoft Exchange Online is the cloud-hosted email, calendaring, and collaboration service delivered as part of Microsoft 365, identified in the CPE as cpe:2.3:a:microsoft:microsoft_exchange_online. The underlying weakness is CWE-285 (Improper Authorization), meaning the service fails to correctly verify that the requesting principal is permitted to perform an action or read a resource before returning data. In a multi-tenant SaaS mail platform, authorization decisions typically govern mailbox access, directory queries, and administrative endpoints, so a bypass at this layer can expose data belonging to other users or tenants without requiring credential theft or session hijacking.
RemediationAI
Patch available per vendor advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-48579; because Exchange Online is a Microsoft-managed SaaS, the fix is deployed by Microsoft to the service and no customer-side patching action is required for the core vulnerability. Tenant administrators should review the MSRC entry for any guidance on tenant configuration changes, audit log review, or detections, and confirm via the Microsoft 365 admin center / Message Center that their tenant is on the patched service version. As compensating controls during the verification window, restrict external access to Exchange endpoints via Conditional Access (which may break legitimate mobile or third-party mail clients), enforce modern authentication and disable legacy protocols such as Basic Auth on EWS/IMAP/POP (which can break older client integrations), and increase Unified Audit Log monitoring for anomalous mailbox or directory read activity.
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34338
GHSA-jwv5-9w8q-m2j8