Server-side request forgery (ssrf) in Microsoft Exchange allows an authorized attacker to elevate privileges over a network.
An attacker with basic system access (authentication with low privileges required) can send crafted requests that the Microsoft Exchange server executes on their behalf — this is an SSRF mechanism (CWE-918). This makes it possible to trick the server into communicating with internal network resources or services that are not directly accessible to the attacker. The lack of user interaction requirement and network attack vector (AV:N) mean that the exploit can be performed remotely without any additional action from the victim.
An attacker can perform privilege escalation — obtain higher privileges than granted during authentication, and potentially gain access to sensitive data (C:H) as well as modify resources (I:H) within the internal infrastructure.
Apply patches available from the vendor according to the references: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26137
Microsoft Exchange — versions indicated in vendor references (Microsoft Security Response Center).
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:LMicrosoft 365 Copilot Chat
APPMicrosoftwszystkie wersje
Related vulnerabilities
Command injection w Microsoft 365 Copilot Chat umożliwiający ujawnienie informacji
Command Injection w Microsoft 365 Copilot Chat umożliwiający ujawnienie informacji
Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an ...
Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an ...
Microsoft 365 Copilot BizChat Information Disclosure Vulnerability