// Microsoft 365HIGH
CVE-2026-45504 is a server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server 2019 that allows authenticated low-privileged users to read arbitrary files via improper URL validation in the OneDriveProUtilities component. The flaw stems from unsafe handling of user-controlled input in WOPI (Web Application Open Platform Interface) URL processing, enabling attackers to chain the vulnerability through malicious attachment references to access sensitive files such as configuration data and credentials. A proof-of-concept exploit has been publicly released.
- Microsoft Exchange SSRF Vulnerability Lets Low-Privileged Attack(opens in a new tab)
- Microsoft: Microsoft Exchange SSRF Vulnerability Details Release(opens in a new tab)
// Get alerts for Microsoft 365