CVE-2026-47655 - Vulnerability Details

Description

Exposure of sensitive information to an unauthorized actor in Microsoft Graph allows an authorized attacker to disclose information over a network.

Published: 2026-06-04

Score: 6.5 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability allows an attacker who already has authorized access to Microsoft Graph to expose sensitive information over the network. It results in a loss of confidentiality, enabling discovery or leakage of data that should remain private.

Affected Systems

Microsoft Graph, as provided by Microsoft. No specific product versions are identified in the available data, so all revisions of the Graph API are potentially affected until a patch is released.

Risk and Exploitability

The CVSS score of 6.5 indicates a medium severity. No EPSS score is available, so the probability of exploitation cannot be quantified. The vulnerability is not listed in the CISA KEV catalog. Attacks would likely need authenticated access to the Graph service, and the attacker could trigger the information disclosure by sending crafted requests over the network, assuming no mitigations are in place.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Microsoft

Microsoft Graph

affected

Version	Status	Constraints
`-`	affected	—

No data.

Vendor Product Confidence Versions

Microsoft

Graph

95%

Version	Status	Scheme	Platform
`[0,*]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Microsoft Graph security updates when they become available.
Restrict Graph API permissions to the minimum required for each application and user.
Monitor Graph API logs for anomalous requests that may indicate attempts to disclose sensitive data.

Generated by OpenCVE AI on June 4, 2026 at 23:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47655

History

Thu, 04 Jun 2026 22:45:00 +0000

Type	Values Removed	Values Added
Description		Exposure of sensitive information to an unauthorized actor in Microsoft Graph allows an authorized attacker to disclose information over a network.
Title		Microsoft Graph Information Disclosure Vulnerability
First Time appeared		Microsoft Microsoft graph
Weaknesses		CWE-200
CPEs		cpe:2.3:a:microsoft:graph::::::::
Vendors & Products		Microsoft Microsoft graph
References		https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47655
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C'}`

Subscriptions

Microsoft Graph

MITRE

Status: PUBLISHED

Assigner: microsoft

Published: 2026-06-04T22:00:53.146Z

Updated: 2026-06-04T22:00:53.146Z

Reserved: 2026-05-19T20:12:27.071Z

Link: CVE-2026-47655

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-04T23:17:32.530

Modified: 2026-06-04T23:17:32.530

Link: CVE-2026-47655

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-05T00:00:08Z

Weaknesses

CWE-200

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object