CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2026-26137

CVSS 9.9v3.1pub. 2026-03-19upd. 2026-03-27

Server-side request forgery (ssrf) in Microsoft Exchange allows an authorized attacker to elevate privileges over a network.

🤖 AI Analysis
How it works

An attacker with basic system access (authentication with low privileges required) can send crafted requests that the Microsoft Exchange server executes on their behalf — this is an SSRF mechanism (CWE-918). This makes it possible to trick the server into communicating with internal network resources or services that are not directly accessible to the attacker. The lack of user interaction requirement and network attack vector (AV:N) mean that the exploit can be performed remotely without any additional action from the victim.

Impact

An attacker can perform privilege escalation — obtain higher privileges than granted during authentication, and potentially gain access to sensitive data (C:H) as well as modify resources (I:H) within the internal infrastructure.

Mitigation & patch

Apply patches available from the vendor according to the references: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26137

Who is affected

Microsoft Exchange — versions indicated in vendor references (Microsoft Security Response Center).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
  • Microsoft 365 Copilot Chat

    APP
    Microsoft
    wszystkie wersje
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
SSRF
CWE
References

Related vulnerabilities

CVE-2025-59272CRITICAL9.3PL ✓ten sam produkt

Command injection w Microsoft 365 Copilot Chat umożliwiający ujawnienie informacji

CVE-2025-59286CRITICAL9.3PL ✓ten sam produkt

Command Injection w Microsoft 365 Copilot Chat umożliwiający ujawnienie informacji

CVE-2026-26129HIGH7.5ten sam produkt

Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an ...

CVE-2026-26164HIGH7.5ten sam produkt

Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an ...

CVE-2025-53787HIGH8.2ten sam produkt

Microsoft 365 Copilot BizChat Information Disclosure Vulnerability