{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21535", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2025-12-30T18:10:54.847Z", "datePublished": "2026-02-19T22:06:20.817Z", "dateUpdated": "2026-05-11T21:25:30.929Z"}, "containers": {"cna": {"title": "Microsoft Teams Information Disclosure Vulnerability", "datePublic": "2026-02-19T16:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:teams:*:*:*:*:*:*:*:*", "versionStartIncluding": "-"}]}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft Teams", "versions": [{"version": "-", "status": "affected"}]}], "descriptions": [{"value": "Improper access control in Microsoft Teams allows an unauthorized attacker to disclose information over a network.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-284: Improper Access Control", "lang": "en-US", "type": "CWE", "cweId": "CWE-284"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-05-11T21:25:30.929Z"}, "references": [{"name": "Microsoft Teams Information Disclosure Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21535"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "HIGH", "baseScore": 8.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:C"}}], "tags": ["exclusively-hosted-service"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-23T18:20:57.388093Z", "id": "CVE-2026-21535", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-23T18:21:23.768Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21535", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-23T18:20:57.388093Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-23T18:21:18.731Z"}}], "cna": {"tags": ["exclusively-hosted-service"], "title": "Microsoft Teams Information Disclosure Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 8.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft Teams", "versions": [{"status": "affected", "version": "-"}]}], "datePublic": "2026-02-19T16:00:00.000Z", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21535", "name": "Microsoft Teams Information Disclosure Vulnerability", "tags": ["vendor-advisory", "patch"]}], "descriptions": [{"lang": "en-US", "value": "Improper access control in Microsoft Teams allows an unauthorized attacker to disclose information over a network."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:teams:*:*:*:*:*:*:*:*", "vulnerable": true, "versionStartIncluding": "-"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-05-11T18:10:09.314Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21535", "state": "PUBLISHED", "dateUpdated": "2026-05-11T18:10:09.314Z", "dateReserved": "2025-12-30T18:10:54.847Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2026-02-19T22:06:20.817Z", "assignerShortName": "microsoft"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:teams:-:*:*:*:*:*:*:*", "matchCriteriaId": "52B85963-34CA-49A1-B59A-6005DF151CB0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "secure@microsoft.com", "tags": ["exclusively-hosted-service"]}], "descriptions": [{"lang": "en", "value": "Improper access control in Microsoft Teams allows an unauthorized attacker to disclose information over a network."}], "id": "CVE-2026-21535", "lastModified": "2026-02-20T17:39:46.743", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "secure@microsoft.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-19T23:16:24.217", "references": [{"source": "secure@microsoft.com", "tags": ["Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21535"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "secure@microsoft.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Microsoft Teams", "source": "cna", "vendor": "Microsoft"}, "product": "teams", "vendor": "microsoft"}], "analysis": {"en": {"generated_at": "2026-04-15T16:15:17.526103+00:00", "value": {"mitigation_remediation": ["Apply the latest Microsoft Teams patch that addresses CVE\u20112026\u201121535 as announced by Microsoft", "Configure network segmentation or firewall rules to limit inbound traffic to the Teams backend and enforce strict access controls", "Review and enforce tighter data sharing policies and permission settings within Teams to restrict the scope of exposed information"], "summary": {"action": "Patch promptly", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Microsoft Teams, as identified by Microsoft and referenced by the CNA. No specific product versions are listed, implying the flaw could exist in multiple or all current deployments of the Teams client and service. Users of any Teams installation should verify the presence of this flaw by consulting Microsoft\u2019s update guide for CVE\u20112026\u201121535.", "description_and_impact": "Microsoft Teams contains an improper access control flaw that allows attackers who are not authenticated to read sensitive information transmitted over a network. The vulnerability is rooted in CWE-284, leading to potential data leakage that could expose private communications, meeting content, or other organizational data. The specified impact is the unauthorized disclosure of information to an attacker, which can undermine confidentiality of organizational assets.", "risk_and_exploitability": "The vulnerability has a CVSS score of 8.2, indicating a high severity. The EPSS score is reported as less than 1\u202f%, reflecting a very low probability of exploitation at this time. Microsoft does not list this issue in the CISA KEV catalog. The likely attack vector is a network-based request to the Teams service that bypasses normal authorization checks. If exploited, an attacker could read data without permission; successful exploitation requires only network access and does not necessarily require elevated credentials."}}}}, "created": "2026-02-20T09:53:49.293935+00:00", "updated": "2026-04-15T17:15:10.599942+00:00", "vendors": ["microsoft", "microsoft$PRODUCT$teams"]}