CVE-2026-45504: Microsoft Exchange Server Elevation of Privilege Vulnerability

Overview

Severity

High (CVSS 8.8)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Elevation of Privilege

Exploit Status

Not Exploited

Exploitation Likelihood

Unlikely

Patch Tuesday

2026-Jun

Released

2026-06-09

Description

Server-side request forgery (ssrf) in Microsoft Exchange Server allows an authorized attacker to elevate privileges over a network.

FAQ

What privileges could be gained by an attacker who successfully exploited the vulnerability? An attacker could gain elevated privileges beyond those normally available to them, allowing actions such as accessing restricted information or performing operations that are typically limited to more highly privileged users or administrators. How could an attacker exploit this vulnerability? An attacker with a low-privilege user account and an assigned mailbox, could exploit weaknesses in how Exchange validates requests and identity tokens to impersonate another user. By doing so, the attacker could then access mailboxes through Exchange services as if they were that user.

Affected Products (4)

Server Software

• Microsoft Exchange Server Subscription Edition RTM

ESU

• Microsoft Exchange Server 2019 Cumulative Update 15
• Microsoft Exchange Server 2016 Cumulative Update 23
• Microsoft Exchange Server 2019 Cumulative Update 14

Security Updates (1)

• 5094139

Acknowledgments

MARIOS GYFTOS

Revision History

• 2026-06-09: Information published.