CVE Tools

CVE-2026-45502

Microsoft Exchange Server Information Disclosure Vulnerability

Published: Jun 9, 2026Updated: Jun 15, 2026 Sources: CVE List NVD BDUCWE-918

Description

Server-side request forgery (ssrf) in Microsoft Exchange Server allows an authorized attacker to disclose information over a network.

In plain language

AI Act now

CVE-2026-45502 is an information-leaking flaw in Microsoft Exchange Server where a low-privileged user can trick the server into making network requests and revealing sensitive data; if you run Exchange and haven’t updated to the listed fixed updates, you should act.

Executive summary

CVE-2026-45502 is a server-side request forgery (SSRF) information-disclosure issue in Microsoft Exchange Server that allows an authorized attacker with low-level privileges to coerce the server into sending requests to arbitrary locations and leaking data over the network.

If affected, business impact
Sensitive customer email exposureCredential/token or internal data leakageReputation and trust damageRegulatory reporting risk

What to do now

  1. Check your Microsoft Exchange Server version (2016 CU23, 2019 CU14, 2019 CU15, or Subscription Edition RTM) and note whether you are below the fixed update versions listed by Microsoft.
  2. If you are affected, update to the fixed versions: Exchange Server 2016 CU23 → 15.01.2507.069; Exchange Server 2019 CU14 → 15.02.1544.041; Exchange Server 2019 CU15 → 15.02.1748.046; Exchange Server Subscription Edition RTM (and Subscription Edition) → 15.02.2562.043.
  3. After updating, verify Exchange health and then review server/network logs for unusual outbound connections or request patterns around the Exchange server’s time of change.
  4. If patching is delayed, immediately limit/monitor accounts with low-level privileges on Exchange, and restrict any internal/external connectivity paths that could be abused for outbound requests (as allowed by your network design).
Patch / advisory Usually a quick update

CVSS Vector Breakdown

AV:NAC:LPR:LUI:NS:CC:LI:NA:N
Exploitability
AV:NAttack Vector
Network
AC:LAttack Complexity
Low
PR:LPrivileges Required
Low
UI:NUser Interaction
None
Scope
S:CScope
Changed
Impact
C:LConfidentiality
Low
I:NIntegrity
None
A:NAvailability
None

Weaknesses

Affected Products

and 4 more affected products View all →

Exploitability

Official Patch Available

Attack Graph

Products CVE Techniques Tactics

Click technique nodes for MITRE ATT&CK details · drag to pan · Ctrl/ + scroll to zoom, or go fullscreen.

MITRE ATT&CK

2 techniques
Command and Control
Initial Access
View detailed technique mapping

References

Could not load news mentions.

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2026-45502 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows