Description
Exposure of sensitive information to an unauthorized actor in Microsoft Office Outlook allows an unauthorized attacker to perform spoofing over a network.
Published: 2026-02-10
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Exposure of sensitive information enabling spoofing over a network
Action: Apply Patch
AI Analysis

Impact

A flaw in Microsoft Office Outlook allows an unauthorized actor to expose sensitive information that can be used to perform spoofing over a network. The vulnerability is associated with CWE-200, which concerns information exposure. If exploited, an attacker could forge email identities or other messages, leading to phishing, credential theft, or other malicious activities that compromise confidentiality, integrity, and possibly availability of the affected systems.

Affected Systems

The vulnerability affects a range of Microsoft products, including Microsoft 365 Apps for Enterprise, Microsoft Office 2019, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024, Microsoft Outlook 2016, Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Server 2019, and Microsoft SharePoint Server Subscription Edition. Version details are not explicitly specified in the advisory, so all releases of the listed products are potentially impacted.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity level. The EPSS score of less than 1% suggests a low but non-zero probability of exploitation in the wild at the time of this analysis, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves network-based interactions—an attacker can send crafted traffic to exposed Outlook or SharePoint services to trigger the information disclosure. The overall risk is moderate to high, depending on the attacker's position relative to the network and the presence of defensive controls such as email authentication and firewall rules.

Generated by OpenCVE AI on April 15, 2026 at 16:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Download and install the Microsoft security updates that address CVE-2026-21260 from the Microsoft Security Response Center or the Security Update Guide.
  • If an update is not yet available, disable or restrict the feature that permits message spoofing in Outlook and SharePoint environments to reduce exposure.
  • Ensure that outbound email traffic uses encryption (TLS) and that SPF, DKIM, and DMARC are properly configured to mitigate spoofing attacks.

Generated by OpenCVE AI on April 15, 2026 at 16:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft office
Microsoft office Long Term Servicing Channel
Microsoft outlook
CPEs cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x64:*
cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x86:*
cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x64:*
cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x64:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x64:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x86:*
cpe:2.3:a:microsoft:outlook:2016:*:*:*:*:*:x64:*
cpe:2.3:a:microsoft:outlook:2016:*:*:*:*:*:x86:*
cpe:2.3:a:microsoft:sharepoint_server:2016:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:*
Vendors & Products Microsoft office
Microsoft office Long Term Servicing Channel
Microsoft outlook

Wed, 11 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Description Exposure of sensitive information to an unauthorized actor in Microsoft Office Outlook allows an unauthorized attacker to perform spoofing over a network.
Title Microsoft Outlook Spoofing Vulnerability
First Time appeared Microsoft
Microsoft 365 Apps
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Microsoft outlook 2016
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
Weaknesses CWE-200
CPEs cpe:2.3:a:microsoft:365_apps:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:office_2019:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:office_2021:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_2024:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:outlook_2016:*:*:*:*:*:x86:*:*
cpe:2.3:a:microsoft:sharepoint_server:*:*:*:*:subscription:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2016:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:sharepoint_server_2019:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft 365 Apps
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Microsoft outlook 2016
Microsoft sharepoint Server
Microsoft sharepoint Server 2016
Microsoft sharepoint Server 2019
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft 365 Apps Office Office 2019 Office 2021 Office 2024 Office Long Term Servicing Channel Outlook Outlook 2016 Sharepoint Server Sharepoint Server 2016 Sharepoint Server 2019
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-10T13:21:05.608Z

Reserved: 2025-12-11T21:02:05.737Z

Link: CVE-2026-21260

cve-icon Vulnrichment

Updated: 2026-02-11T15:27:28.976Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-10T18:16:27.947

Modified: 2026-02-11T19:10:20.090

Link: CVE-2026-21260

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T17:45:10Z

Weaknesses