Description
Improper access control in Microsoft Teams allows an unauthorized attacker to disclose information over a network.
Published: 2026-02-19
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch promptly
AI Analysis

Impact

Microsoft Teams contains an improper access control flaw that allows attackers who are not authenticated to read sensitive information transmitted over a network. The vulnerability is rooted in CWE-284, leading to potential data leakage that could expose private communications, meeting content, or other organizational data. The specified impact is the unauthorized disclosure of information to an attacker, which can undermine confidentiality of organizational assets.

Affected Systems

The vulnerability affects Microsoft Teams, as identified by Microsoft and referenced by the CNA. No specific product versions are listed, implying the flaw could exist in multiple or all current deployments of the Teams client and service. Users of any Teams installation should verify the presence of this flaw by consulting Microsoft’s update guide for CVE‑2026‑21535.

Risk and Exploitability

The vulnerability has a CVSS score of 8.2, indicating a high severity. The EPSS score is reported as less than 1 %, reflecting a very low probability of exploitation at this time. Microsoft does not list this issue in the CISA KEV catalog. The likely attack vector is a network-based request to the Teams service that bypasses normal authorization checks. If exploited, an attacker could read data without permission; successful exploitation requires only network access and does not necessarily require elevated credentials.

Generated by OpenCVE AI on April 15, 2026 at 16:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Microsoft Teams patch that addresses CVE‑2026‑21535 as announced by Microsoft
  • Configure network segmentation or firewall rules to limit inbound traffic to the Teams backend and enforce strict access controls
  • Review and enforce tighter data sharing policies and permission settings within Teams to restrict the scope of exposed information

Generated by OpenCVE AI on April 15, 2026 at 16:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:microsoft:teams:-:*:*:*:*:*:*:*

Thu, 19 Feb 2026 22:30:00 +0000

Type Values Removed Values Added
Description Improper access control in Microsoft Teams allows an unauthorized attacker to disclose information over a network.
Title Microsoft Teams Information Disclosure Vulnerability
First Time appeared Microsoft
Microsoft teams
Weaknesses CWE-284
CPEs cpe:2.3:a:microsoft:teams:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft teams
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Teams
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-10T13:21:17.416Z

Reserved: 2025-12-30T18:10:54.847Z

Link: CVE-2026-21535

cve-icon Vulnrichment

Updated: 2026-02-23T18:21:18.731Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-19T23:16:24.217

Modified: 2026-02-20T17:39:46.743

Link: CVE-2026-21535

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T17:15:10Z

Weaknesses