How is CVE-2026-48579 exploited?

Network reachability (required): The attacker must reach the Exchange Online service over the network; no local or physical access is needed, making internet-exposed deployments directly at risk. Authentication (not-required): No credentials of any privilege level are required; the vulnerability is exploitable by any unauthenticated party with network access. Victim interaction (not-required): No victim action such as clicking a link or opening a file is needed; the attacker can exploit this entirely without user participation. Attack complexity (info): Attack complexity is Low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental setup to succeed.

What is the impact of CVE-2026-48579?

Reads confidential email content, attachments, and mailbox metadata accessible through Exchange Online. Modifies or corrupts email data, including messages, calendar entries, or folder structures stored in affected mailboxes. Enables an attacker to exfiltrate sensitive business communications without leaving obvious authentication traces. Provides a foothold for further lateral movement by harvesting credentials, internal links, or organizational data embedded in email.

Back to search

CRITICALCVE-2026-48579Published 2026-06-04Modified 2026-06-04CNA microsoft

CVE-2026-48579: Microsoft Exchange Online Information Disclosure Vulnerability

Improper authorization in Microsoft Exchange Online allows an unauthorized attacker to disclose information over a network.

CVSS v3.1: 9.1
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An improper authorization vulnerability in Microsoft Exchange Online allows an unauthenticated attacker to reach the service over a network and disclose sensitive information or tamper with data. The CVSS score of 9.1 (Critical) reflects that no credentials or user interaction are needed, making the attack straightforward to execute at scale. Successful exploitation gives an attacker read access to confidential email data and the ability to modify it. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment Microsoft publishes a fix.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-48579 is available across every HarborGuard environment, with ingestion from upstream feeds occurring within minutes of CVE publication and matching applied against all images in customer registries and CI/CD pipelines, including custom-built images that layer on affected Microsoft Exchange Online components.

Available

Triage

HarborGuard is capable of scoring this CVE at 9.1 Critical using the published CVSS v3.1 vector and weighting the result against each customer environment's compliance policy to determine urgency. Triage routing to the appropriate team inbox within each customer organization is available automatically based on policy configuration.

Available

Patch

Because Microsoft has not yet published a fix version, HarborGuard re-checks the upstream advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix is released. For customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads will be triggered automatically once a fix version is confirmed upstream.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Exchange Online service over the network; no local or physical access is needed, making internet-exposed deployments directly at risk.
AuthenticationNot required
No credentials of any privilege level are required; the vulnerability is exploitable by any unauthenticated party with network access.
Victim interactionNot required
No victim action such as clicking a link or opening a file is needed; the attacker can exploit this entirely without user participation.
Attack complexityDetail
Attack complexity is Low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental setup to succeed.

Blast Radius

Reads confidential email content, attachments, and mailbox metadata accessible through Exchange Online.
Modifies or corrupts email data, including messages, calendar entries, or folder structures stored in affected mailboxes.
Enables an attacker to exfiltrate sensitive business communications without leaving obvious authentication traces.
Provides a foothold for further lateral movement by harvesting credentials, internal links, or organizational data embedded in email.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists yet for CVE-2026-48579, HarborGuard re-examines the Microsoft advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix version is published. Where compliance policy permits, customers with auto-remediation enabled will receive the rebuild, a regression test run, and a PR opened against affected workloads without manual intervention. In the interim, compensating controls available through HarborGuard include network-policy isolation rules that restrict which workloads can reach Exchange Online endpoints, egress filtering recommendations surfaced per environment, and continuous re-scoring of the CVE as the upstream record evolves. Given the Critical severity and zero-authentication exploit path, customers are advised to review compliance policy settings now so auto-remediation triggers immediately when the fix lands.

See how HarborGuard automates this

Affected packages

Microsoft / Microsoft Exchange Online
-

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C

References

Microsoft Exchange Online Information Disclosure Vulnerability

Metrics

Get notified