Description
Server-side request forgery (ssrf) in Microsoft Exchange Server allows an authorized attacker to disclose information over a network.
Published: 2026-06-09
Score: 5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is a server‑side request forgery that enables an attacker with authorized access to send arbitrary HTTP requests from the Exchange server to internal resources, thereby revealing sensitive data. This vulnerability falls under CWE‑918 and primarily leads to unauthorized disclosure of confidential information.

Affected Systems

Affected products include Microsoft Exchange Server 2016 receiving Cumulative Update 23, Microsoft Exchange Server 2019 receiving Cumulative Updates 14 and 15, and Microsoft Exchange Server Subscription Edition in its release‑to‑market version. These variants are vulnerable until the corresponding update is applied.

Risk and Exploitability

The CVSS score of 5.0 indicates a medium severity disclosure. The EPSS score is not available, and the vulnerability is not currently listed in CISA’s KEV catalog, suggesting no known widespread exploitation. The attacker must be authorized on the Exchange system to perform SSRF; thus the likely attack vector is via authenticated user privileges or compromised credentials within the Exchange infrastructure.

Generated by OpenCVE AI on June 9, 2026 at 20:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest cumulative updates, specifically CU23 for Exchange 2016, CU15 for Exchange 2019, and the most recent Subscription Edition patch.
  • Verify that server‑side request forgery behaviors are removed by testing internal HTTP requests from the Exchange services.
  • Restrict the Exchange server’s outbound network access to only necessary endpoints and monitor activity logs for unusual internal requests.

Generated by OpenCVE AI on June 9, 2026 at 20:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Server-side request forgery (ssrf) in Microsoft Exchange Server allows an authorized attacker to disclose information over a network.
Title Microsoft Exchange Server Information Disclosure Vulnerability
First Time appeared Microsoft
Microsoft exchange Server 2016
Microsoft exchange Server 2019
Microsoft exchange Server Se
Weaknesses CWE-918
CPEs cpe:2.3:a:microsoft:exchange_server_2016:*:cumulative_update_23:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server_2019:*:cumulative_update_14:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server_2019:*:cumulative_update_15:*:*:*:*:*:*
cpe:2.3:a:microsoft:exchange_server_se:*:RTM:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft exchange Server 2016
Microsoft exchange Server 2019
Microsoft exchange Server Se
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Exchange Server 2016 Exchange Server 2019 Exchange Server Se
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-10T17:53:35.984Z

Reserved: 2026-05-12T16:07:22.619Z

Link: CVE-2026-45502

cve-icon Vulnrichment

Updated: 2026-06-10T14:22:46.562Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-09T17:17:26.010

Modified: 2026-06-09T19:32:51.440

Link: CVE-2026-45502

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T21:15:05Z

Weaknesses