Skip to main content

Microsoft Exchange Online EUVDEUVD-2026-34338

| CVE-2026-48579 CRITICAL
Improper Authorization (CWE-285)
2026-06-04 microsoft GHSA-jwv5-9w8q-m2j8
9.1
CVSS 3.1 · NVD
Temporal: 7.9
Share

Severity by source

NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
ENISA EUVD
HIGH
qualitative
CIRCL (temporal)
7.9 HIGH
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 04, 2026 - 23:00 vuln.today
CVE Published
Jun 04, 2026 - 22:00 nvd
CRITICAL 9.1

DescriptionCVE.org

Improper authorization in Microsoft Exchange Online allows an unauthorized attacker to disclose information over a network.

AnalysisAI

Information disclosure in Microsoft Exchange Online allows remote unauthenticated attackers to access sensitive data due to improper authorization enforcement (CWE-285). The flaw carries a CVSS 9.1 score reflecting network-reachable exploitation without privileges or user interaction, though no public exploit identified at time of analysis. Microsoft has issued a fix through its cloud service, and the CVSS vector indicates high confidentiality and integrity impact despite the description focusing on disclosure.

Technical ContextAI

Microsoft Exchange Online is the cloud-hosted email, calendaring, and collaboration service delivered as part of Microsoft 365, identified in the CPE as cpe:2.3:a:microsoft:microsoft_exchange_online. The underlying weakness is CWE-285 (Improper Authorization), meaning the service fails to correctly verify that the requesting principal is permitted to perform an action or read a resource before returning data. In a multi-tenant SaaS mail platform, authorization decisions typically govern mailbox access, directory queries, and administrative endpoints, so a bypass at this layer can expose data belonging to other users or tenants without requiring credential theft or session hijacking.

RemediationAI

Patch available per vendor advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-48579; because Exchange Online is a Microsoft-managed SaaS, the fix is deployed by Microsoft to the service and no customer-side patching action is required for the core vulnerability. Tenant administrators should review the MSRC entry for any guidance on tenant configuration changes, audit log review, or detections, and confirm via the Microsoft 365 admin center / Message Center that their tenant is on the patched service version. As compensating controls during the verification window, restrict external access to Exchange endpoints via Conditional Access (which may break legitimate mobile or third-party mail clients), enforce modern authentication and disable legacy protocols such as Basic Auth on EWS/IMAP/POP (which can break older client integrations), and increase Unified Audit Log monitoring for anomalous mailbox or directory read activity.

Share

EUVD-2026-34338 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy