Introduction
A server side request forgery vulnerability in Microsoft Purview eDiscovery could have allowed an unauthorized attacker to reach across Microsoft 365 service boundaries and access sensitive organizational data without any authentication or user interaction. Given that eDiscovery is designed to search and retrieve content from Exchange Online, Teams, SharePoint, OneDrive, and other Microsoft 365 services, the potential blast radius of this SSRF was considerable, touching mailboxes, chat logs, documents, and enterprise social data.
Microsoft has already fully mitigated CVE-2026-26150 on their end, and no customer action is required. The CVE was published for transparency and compliance tracking purposes, carrying a CVSS 3.1 base score of 8.6.
Technical Information
Root Cause: Server Side Request Forgery (CWE-918)
CVE-2026-26150 is a server side request forgery vulnerability in Microsoft Purview eDiscovery. SSRF vulnerabilities occur when an application can be induced to make HTTP requests (or other network requests) to an attacker controlled destination or, more critically, to internal services that should not be directly accessible. In this case, the vulnerable component is the eDiscovery service itself, which by design has broad access to internal Microsoft 365 data stores.
CVSS 3.1 Breakdown
The full CVSS 3.1 vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N, which breaks down as follows:
| Metric | Value | Implication |
|---|---|---|
| Attack Vector | Network | Remotely exploitable |
| Attack Complexity | Low | No specialized conditions needed |
| Privileges Required | None | No authentication required |
| User Interaction | None | No victim action needed |
| Scope | Changed | Impact extends beyond the vulnerable component |
| Confidentiality | High | Significant data exposure possible |
| Integrity | None | No data modification |
| Availability | None | No denial of service |
The "Changed" scope is particularly notable here. It means the SSRF in eDiscovery could be leveraged to access resources managed by other security authorities within the Microsoft 365 ecosystem, not just the eDiscovery component itself.
Data Exposure Surface
Because Microsoft Purview eDiscovery is architected to interact with multiple Microsoft 365 data repositories, the potential exposure surface from this SSRF is broad. The services accessible through eDiscovery include:
| Service | Data Type |
|---|---|
| Exchange Online | Mailboxes and email communications |
| Microsoft Teams | Chat messages and shared files |
| OneDrive | Personal cloud storage files |
| SharePoint | Organizational sites and documents |
| Microsoft 365 Groups | Group communications and shared resources |
| Viva Engage | Enterprise social network data |
An attacker exploiting this SSRF could potentially craft requests that cause the eDiscovery server side component to make unintended internal requests, effectively accessing data across these interconnected services on behalf of the attacker. The "Changed" scope in the CVSS vector directly reflects this cross service reach.
Attack Flow
Based on the CVSS metrics and vulnerability classification, the general attack flow would proceed as follows:
- An unauthenticated attacker sends a crafted network request to the Microsoft Purview eDiscovery service endpoint.
- The eDiscovery service processes the request and, due to insufficient validation of the target resource, makes an internal request to a service or endpoint specified (or influenced) by the attacker.
- The internal service responds to the eDiscovery component with data that would normally be inaccessible to external, unauthenticated users.
- The attacker receives or infers the contents of the internal response, resulting in unauthorized data disclosure.
The fact that no privileges and no user interaction are required makes this a particularly clean attack path. The attacker does not need to compromise any accounts or trick any users.
Information Gaps
Microsoft has not disclosed specific exploit chain details, exact affected build numbers, or indicators of compromise. The NVD assessment for CVSS 4.0 and CVSS 2.0 was not yet available at the time of initial publication.
Affected Systems and Versions
The affected component is Microsoft Purview eDiscovery, a cloud hosted service within the Microsoft 365 ecosystem. Microsoft has not disclosed exact affected build numbers or version ranges. Because this is a cloud service fully managed by Microsoft, the vulnerability and its remediation are handled server side, and customers do not manage versioning or patching for this component.
Vendor Security History
The disclosure of CVE-2026-26150 follows Microsoft's established practice of publishing CVEs for cloud service vulnerabilities that have already been mitigated, providing transparency for compliance and audit purposes. Microsoft acted as the assigning CNA for this vulnerability. The report confidence is marked as Confirmed, and the remediation level is Official Fix. This pattern of retroactive cloud CVE disclosure has become increasingly common from Microsoft, allowing organizations to maintain accurate vulnerability records even for services where local patching is not applicable.
References
- CVE-2026-26150: Microsoft Purview eDiscovery Elevation of Privilege Vulnerability (MSRC)
- NVD Entry for CVE-2026-26150
- Microsoft Security Response Center: April 2026 Release Notes
- GitHub Advisory: GHSA-qr6p-j8r5-cc78
- Learn about eDiscovery Solutions (Microsoft Documentation)
- Learn about Microsoft Purview (Microsoft Documentation)
