CVE-2026-45502
Microsoft Exchange Server Information Disclosure Vulnerability
Description
Server-side request forgery (ssrf) in Microsoft Exchange Server allows an authorized attacker to disclose information over a network.
In plain language
AI Act nowCVE-2026-45502 is an information-leaking flaw in Microsoft Exchange Server where a low-privileged user can trick the server into making network requests and revealing sensitive data; if you run Exchange and haven’t updated to the listed fixed updates, you should act.
CVE-2026-45502 is a server-side request forgery (SSRF) information-disclosure issue in Microsoft Exchange Server that allows an authorized attacker with low-level privileges to coerce the server into sending requests to arbitrary locations and leaking data over the network.
What to do now
- Check your Microsoft Exchange Server version (2016 CU23, 2019 CU14, 2019 CU15, or Subscription Edition RTM) and note whether you are below the fixed update versions listed by Microsoft.
- If you are affected, update to the fixed versions: Exchange Server 2016 CU23 → 15.01.2507.069; Exchange Server 2019 CU14 → 15.02.1544.041; Exchange Server 2019 CU15 → 15.02.1748.046; Exchange Server Subscription Edition RTM (and Subscription Edition) → 15.02.2562.043.
- After updating, verify Exchange health and then review server/network logs for unusual outbound connections or request patterns around the Exchange server’s time of change.
- If patching is delayed, immediately limit/monitor accounts with low-level privileges on Exchange, and restrict any internal/external connectivity paths that could be abused for outbound requests (as allowed by your network design).
CVSS Vector Breakdown
AV:NAttack VectorAC:LAttack ComplexityPR:LPrivileges RequiredUI:NUser InteractionS:CScopeC:LConfidentialityI:NIntegrityA:NAvailabilityWeaknesses
Affected Products
Exploitability
Attack Graph
Click technique nodes for MITRE ATT&CK details · drag to pan · Ctrl/⌘ + scroll to zoom, or go fullscreen.
MITRE ATT&CK
2 techniquesReferences
Unlock Complete Vulnerability Intelligence
Get the full picture for CVE-2026-45502 and every CVE in our database. Create a free account — no credit card required.
Create Free Account