{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26137", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2026-02-11T16:24:51.133Z", "datePublished": "2026-03-19T21:06:26.050Z", "dateUpdated": "2026-04-14T16:36:32.258Z"}, "containers": {"cna": {"title": "Microsoft Exchange Elevation of Privilege Vulnerability", "datePublic": "2026-03-19T14:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:exchange_online:*:*:*:*:*:*:*:*", "versionStartIncluding": "-"}]}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft Exchange Online", "versions": [{"version": "-", "status": "affected"}]}], "descriptions": [{"value": "Server-side request forgery (ssrf) in Microsoft Exchange allows an authorized attacker to elevate privileges over a network.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-918: Server-Side Request Forgery (SSRF)", "lang": "en-US", "type": "CWE", "cweId": "CWE-918"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-04-14T16:36:32.258Z"}, "references": [{"name": "Microsoft Exchange Elevation of Privilege Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26137"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "CRITICAL", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L/E:U/RL:O/RC:C"}}], "tags": ["exclusively-hosted-service"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-26137"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-21T04:01:45.877Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26137", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-20T15:16:02.985716Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T15:17:47.384Z"}}], "cna": {"tags": ["exclusively-hosted-service"], "title": "Microsoft Exchange Elevation of Privilege Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 9.9, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L/E:U/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft Exchange Online", "versions": [{"status": "affected", "version": "-"}]}], "datePublic": "2026-03-19T14:00:00.000Z", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26137", "name": "Microsoft Exchange Elevation of Privilege Vulnerability", "tags": ["vendor-advisory", "patch"]}], "descriptions": [{"lang": "en-US", "value": "Server-side request forgery (ssrf) in Microsoft Exchange allows an authorized attacker to elevate privileges over a network."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:exchange_online:*:*:*:*:*:*:*:*", "vulnerable": true, "versionStartIncluding": "-"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-04-14T16:36:32.258Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26137", "state": "PUBLISHED", "dateUpdated": "2026-04-14T16:36:32.258Z", "dateReserved": "2026-02-11T16:24:51.133Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2026-03-19T21:06:26.050Z", "assignerShortName": "microsoft"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:365_copilot_chat:-:*:*:*:*:*:*:*", "matchCriteriaId": "431CBC2E-E9C8-4A85-B619-F7782685F815", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "secure@microsoft.com", "tags": ["exclusively-hosted-service"]}], "descriptions": [{"lang": "en", "value": "Server-side request forgery (ssrf) in Microsoft Exchange allows an authorized attacker to elevate privileges over a network."}, {"lang": "es", "value": "Falsificaci\u00f3n de petici\u00f3n del lado del servidor (SSRF) en el Chat Empresarial de Microsoft 365 Copilot permite a un atacante autorizado elevar privilegios sobre una red."}], "id": "CVE-2026-26137", "lastModified": "2026-03-27T23:17:12.473", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "secure@microsoft.com", "type": "Secondary"}]}, "published": "2026-03-19T21:17:08.050", "references": [{"source": "secure@microsoft.com", "tags": ["Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26137"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "secure@microsoft.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "enrichment": {"confidence": 90.0, "confidence_source": "inferred", "scores": [{"score": 90.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Microsoft 365 Copilot's Business Chat", "source": "cna", "vendor": "Microsoft"}, "product": "365_copilot_business_chat", "vendor": "microsoft"}], "analysis": {"en": {"generated_at": "2026-03-28T05:42:49.117577+00:00", "value": {"mitigation_remediation": ["Apply the latest security update for Microsoft Exchange Online as released by Microsoft.", "Confirm that the Exchange Online deployment is updated to address the SSRF flaw."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation via SSRF"}, "threat_synthesis": {"affected_systems": "Microsoft Exchange Online is affected. The specific product is Microsoft Exchange Online within the Microsoft 365 ecosystem. The CNA does not provide explicit version information, so affected workloads include any Exchange Online deployment that has not yet applied the latest available update.", "description_and_impact": "The vulnerability is a server\u2011side request forgery (SSRF) that occurs within Microsoft Exchange Online. An attacker who already has authorized access can craft malicious requests that force the Exchange server to initiate outbound connections, effectively bypassing normal access controls. This flaw allows the attacker to elevate privileges across the network, potentially gaining full administrative rights or accessing protected resources.", "risk_and_exploitability": "The CVSS score of 9.9 indicates critical severity. The EPSS score of less than 1 percent suggests low current exploitation probability, and the vulnerability is not yet listed in the CISA KEV catalog. Based on the description, the likely attack vector is internal or privileged users exploiting the SSRF from within the Exchange server environment. The attacker needs authorized access to issue the malicious request; no publicly exploitable remote entry point is described."}}}}, "created": "2026-03-20T08:55:54.687407+00:00", "updated": "2026-03-29T20:28:55.962948+00:00", "vendors": ["microsoft", "microsoft$PRODUCT$365_copilot_business_chat"]}