Description
Improper authorization in Microsoft Exchange Online allows an unauthorized attacker to disclose information over a network.
Published: 2026-06-04
Score: 9.1 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper authorization in Microsoft Exchange Online permits an unauthorized user to read sensitive data over the network. The vulnerability stems from an access control flaw (CWE-285) that bypasses standard permission checks, resulting in disclosure of confidential information. This can compromise the confidentiality of data stored or transmitted by the affected service.

Affected Systems

Microsoft Exchange Online users are impacted. No specific version range is enumerated in the advisory, so all deployments of Exchange Online that have not applied the Microsoft-provided fix are potentially vulnerable.

Risk and Exploitability

The CVSS score of 9.1 indicates a high severity impact. No EPSS score is currently available, and the issue is not listed in the CISA KEV catalog, but the lack of an exploitation probability figure does not reduce the risk, especially given the remote nature outlined in the description. The likely attack vector is via a network connection to the Exchange Online service, with no additional host or privilege prerequisites noted.

Generated by OpenCVE AI on June 4, 2026 at 23:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the Microsoft Security Response Center for updates.
  • If a patch is available, install it immediately to remediate the Access Control flaw.
  • If a patch is not yet released, isolate the affected service from the internet until a fix is applied and conduct a thorough audit of data access logs for anomalous activity.
  • Consider applying network segmentation or firewall rules that restrict access to Exchange Online endpoints to reduce exposure.

Generated by OpenCVE AI on June 4, 2026 at 23:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Description Improper authorization in Microsoft Exchange Online allows an unauthorized attacker to disclose information over a network.
Title Microsoft Exchange Online Information Disclosure Vulnerability
First Time appeared Microsoft
Microsoft exchange Online
Weaknesses CWE-285
CPEs cpe:2.3:a:microsoft:exchange_online:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft exchange Online
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Exchange Online
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-04T22:00:54.470Z

Reserved: 2026-05-21T20:00:35.246Z

Link: CVE-2026-48579

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T23:17:32.830

Modified: 2026-06-04T23:17:32.830

Link: CVE-2026-48579

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T01:15:15Z

Weaknesses