CVE-2026-45503: Microsoft Exchange Server Information Disclosure Vulnerability

Overview

Severity

High (CVSS 8.1)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C

Category

Information Disclosure

Exploit Status

Not Exploited

Exploitation Likelihood

Unlikely

Patch Tuesday

2026-Jun

Released

2026-06-09

Description

Improper authorization in Microsoft Exchange Server allows an authorized attacker to disclose information over a network.

FAQ

How could an attacker exploit this vulnerability? An authenticated Outlook Web App user could exploit this issue by reusing a valid access token issued to their own mailbox to access attachments stored in another user’s mailbox within the same Exchange organization, without authorization. What type of information could be disclosed by this vulnerability? An attacker could gain unauthorized access to email attachments stored in other users’ mailboxes within the same organization, which may include documents, images, or other files attached to emails.

Affected Products (4)

ESU

• Microsoft Exchange Server 2016 Cumulative Update 23
• Microsoft Exchange Server 2019 Cumulative Update 15
• Microsoft Exchange Server 2019 Cumulative Update 14

Server Software

• Microsoft Exchange Server Subscription Edition RTM

Security Updates (1)

• 5094139

Acknowledgments

Anonymous, Vaibhavi Kalgutkar with Microsoft

Revision History

• 2026-06-09: Information published.