Description
Exposure of sensitive information to an unauthorized actor in Microsoft Office Outlook allows an unauthorized attacker to perform spoofing over a network.
Published: 2026-02-10
Score: 7.5 High
EPSS: 1.4% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw in Microsoft Office Outlook permits an attacker to expose sensitive information that can then be used to perform spoofing over a network. This information disclosure is identified as CWE-200 and indicates a vulnerability to data exposure. The compromised data may allow malicious actors to send forged messages that appear legitimate, potentially undermining trust in communications and facilitating further attacks.

Affected Systems

The vulnerability affects a range of Microsoft products, including Microsoft 365 Apps for Enterprise, Microsoft Office 2019, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024, Microsoft Outlook 2016, Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Server 2019, and Microsoft SharePoint Server Subscription Edition. No specific version information was provided, so all releases of the listed products are potentially impacted.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity. The EPSS score of 1% denotes a relatively low probability of exploitation in the wild at present. This vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be network-based, as the description references activity over a network. An attacker must gain unauthorized network access to the affected Office or SharePoint services to trigger the disclosure. Overall, the risk can be described as moderate to high, depending on the network exposure and defensive controls such as email authentication mechanisms.

Generated by OpenCVE AI on June 18, 2026 at 05:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Download and install the Microsoft security update for CVE-2026-21260 from the Microsoft Security Response Center or the Security Update Guide.
  • If a patch is not yet available for your environment, restrict or disable the Outlook or SharePoint features that allow message spoofing to reduce exposure.
  • Enforce email authentication protocols (SPF, DKIM, DMARC) and configure network security controls to limit the ability of unauthorized traffic to reach your Outlook or SharePoint services.

Generated by OpenCVE AI on June 18, 2026 at 05:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft office
Microsoft office Long Term Servicing Channel
Microsoft outlook
CPEs cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x64:*
cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x86:*
cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x64:*
cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x64:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x64:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x86:*
cpe:2.3:a:microsoft:outlook:2016:*:*:*:*:*:x64:*
cpe:2.3:a:microsoft:outlook:2016:*:*:*:*:*:x86:*
cpe:2.3:a:microsoft:sharepoint_server:2016:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:*
Vendors & Products Microsoft office
Microsoft office Long Term Servicing Channel
Microsoft outlook

Wed, 11 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 10 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Description Exposure of sensitive information to an unauthorized actor in Microsoft Office Outlook allows an unauthorized attacker to perform spoofing over a network.
Title Microsoft Outlook Spoofing Vulnerability
First Time appeared Microsoft
Microsoft 365 Apps
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Microsoft outlook 2016
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
Weaknesses CWE-200
CPEs cpe:2.3:a:microsoft:365_apps:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:office_2019:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:office_2021:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_2024:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:outlook_2016:*:*:*:*:*:x86:*:*
cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft 365 Apps
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Microsoft outlook 2016
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C'}


Subscriptions

Microsoft 365 Apps Office Office 2019 Office 2021 Office 2024 Office Long Term Servicing Channel Outlook Outlook 2016 Sharepoint Server Sharepoint Server 2016 Sharepoint Server 2019
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-05-11T21:25:17.843Z

Reserved: 2025-12-11T21:02:05.737Z

Link: CVE-2026-21260

cve-icon Vulnrichment

Updated: 2026-02-11T15:27:28.976Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T18:16:27.947

Modified: 2026-06-17T10:18:23.000

Link: CVE-2026-21260

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T05:15:16Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor