MEDIUM 6.5

CVE-2026-47655: Microsoft Graph Information Disclosure Vulnerability (CVSS 6.5)

Microsoft Graph contains a flaw that allows an authorized attacker to access sensitive information they should not be able to see. The vulnerability requires the attacker to already have valid credentials, but once authenticated, they can retrieve confidential data over the network without performing additional interactions. This is classified as a medium-severity issue because exploitation requires prior authentication, limiting the attack surface to insiders or compromised accounts.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-200
Affected products
1 configuration(s)
Published / Modified
2026-06-04 / 2026-06-19

NVD description (verbatim)

Exposure of sensitive information to an unauthorized actor in Microsoft Graph allows an authorized attacker to disclose information over a network.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-47655 is an information disclosure vulnerability in Microsoft Graph stemming from improper access controls (CWE-200). An authenticated attacker can exploit insufficient authorization checks to retrieve sensitive data that falls outside their intended permission scope. The attack vector is network-based with low complexity, requiring only valid API credentials and standard HTTP requests. The vulnerability does not enable data modification or service disruption—impact is strictly confidentiality.

Business impact

This vulnerability poses a data breach risk for organizations relying on Microsoft Graph for identity, calendar, email, and file-sharing APIs. A compromised service account, delegated admin token, or insider with minimal privileges could exfiltrate customer data, intellectual property, or personally identifiable information. The blast radius depends on the sensitivity of data accessible through Graph and the breadth of affected scopes. Regulatory implications may arise if exposed data includes regulated information (PII, HIPAA, PCI).

Affected systems

Microsoft Graph is affected. This API underpins Microsoft 365, Azure AD, Teams, Outlook, SharePoint, OneDrive, and other cloud services. Any application or service that authenticates to Graph using OAuth 2.0 tokens—including first-party Microsoft services and third-party integrations—is potentially impacted. The severity of exposure varies based on the specific data classes and API endpoints affected; verify Microsoft's advisory for scope details.

Exploitability

Exploitation requires valid authentication credentials, preventing unauthenticated attacks. However, the barrier is low once an attacker has a token: no special tricks, social engineering, or user interaction needed. Opportunistic attacks against over-privileged service accounts or compromised user sessions are realistic. The lack of public exploit code and KEV inclusion status (not on CISA's Known Exploited Vulnerabilities list as of publication) suggest active exploitation is not yet widespread, but the straightforward nature of access-control bypass makes rapid weaponization probable.

Remediation

Organizations must apply Microsoft's security update immediately to all systems exposing or consuming Microsoft Graph APIs. This includes patching Azure AD, Microsoft 365 tenants, and any custom applications using the Graph SDK. Concurrent actions: audit recently issued tokens for abuse, review access logs for unauthorized data queries, and enforce least-privilege access policies. Implement conditional access policies and monitor for anomalous Graph API usage patterns.

Patch guidance

Check Microsoft's official security advisory for the specific versions addressing CVE-2026-47655. Updates are typically deployed automatically to cloud services (Azure AD, Microsoft 365), but verify your tenant's last update timestamp. For on-premises deployments and third-party Graph consumers, manual patching may be required. Test patches in a non-production environment first, as Graph API changes can affect dependent applications. Coordinate with application owners to confirm compatibility.

Detection guidance

Monitor Azure AD sign-in logs and Graph API audit logs for authenticated users querying data outside their normal permission set. Flag requests to sensitive endpoints (users, mail, calendar, files) from service accounts or administrative tokens. Use Microsoft Defender for Cloud Apps or similar tools to detect anomalous Graph API activity. Search security logs for unusual token usage or repeated 403 Forbidden responses followed by successful queries to unexpected resources. Establish baseline usage profiles for key service accounts.

Why prioritize this

While CVSS 6.5 (MEDIUM) reflects the authentication requirement, organizations should treat this as high priority because: (1) Graph is fundamental to Microsoft 365 and Azure AD, affecting nearly all modern cloud deployments; (2) data exfiltration often goes undetected longer than active attacks; (3) insider and supply-chain risks are elevated; (4) rapid patch deployment is feasible for cloud-native tenants. Prioritize patching in environments with sensitive data or high-risk user populations.

Risk score, explained

The CVSS 6.5 score reflects a network-accessible vulnerability with low complexity and high confidentiality impact, moderated by the requirement for prior authentication (Privilege Required: Low). The vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N indicates no user interaction, single-scope impact, and no availability or integrity loss. This places it firmly in MEDIUM territory; organizations should not dismiss it as low-risk.

Frequently asked questions

Who can exploit this vulnerability?

Any user or service with a valid Microsoft Graph API token and appropriate OAuth scopes can potentially exploit this flaw. This includes legitimate users, service accounts, third-party applications with delegated permissions, and attackers who have compromised credentials. The key risk is over-privileged service accounts and former employees whose tokens may still be valid.

Will patching Microsoft 365 or Azure AD impact my users or applications?

Cloud-hosted Microsoft 365 and Azure AD tenants receive patches automatically with minimal to no user-facing downtime. However, custom applications and integrations consuming the Graph API should be tested after patches to ensure they do not rely on the unintended access behavior. Coordinate with your development and application teams during the patch window.

How do I know if this vulnerability was exploited in my environment?

Review Microsoft Defender for Cloud Apps and Azure AD sign-in logs for Graph API requests from unexpected sources or to sensitive data endpoints. Enable advanced audit logging in your Microsoft 365 tenant and check for queries to user properties, mail, or calendar data by service accounts. A sudden spike in 403 errors followed by successful queries to atypical endpoints is a red flag.

Is this vulnerability included in CISA's Known Exploited Vulnerabilities (KEV) catalog?

No. As of publication, CVE-2026-47655 is not on CISA's KEV list, meaning there is no confirmed evidence of active, in-the-wild exploitation. However, lack of KEV status does not guarantee safety—the straightforward nature of access-control bypass makes future exploitation likely if left unpatched.

This analysis is based on publicly available information as of the stated publication date. SEC.co does not independently verify patch version numbers, timelines, or scope—consult Microsoft's official security advisory for authoritative remediation guidance. Exploitation status and impact vary by environment and data sensitivity. This explainer is for informational purposes and does not constitute legal or compliance advice. Organizations should conduct their own risk assessment and coordinate patching with relevant stakeholders. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).