An information disclosure vulnerability in Microsoft Graph, tracked as CVE-2026-47655 (CVSS 6.5), allows an authorised attacker to disclose information over a network. Microsoft Graph is the unified API endpoint for accessing data across Microsoft 365 services — including Exchange Online, SharePoint, Teams, and OneDrive.

What Is the Vulnerability?

CVE-2026-47655 is an exposure of sensitive information vulnerability in Microsoft Graph (CWE-200). The vulnerability allows an attacker who already has some level of authorised access to the Microsoft Graph API to access information beyond their intended permissions. Microsoft Graph provides programmatic access to email, files, calendar, contacts, and user data across the Microsoft 365 ecosystem — information disclosure through this API could expose sensitive organisational data.

• CVSS v3.1 Score: 6.5 (Medium)
• CWE: CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor)
• Published: June 4, 2026

Which Versions Are Affected?

• Microsoft Graph API — Microsoft has applied the fix to the service

What Is the Fix?

As a cloud service, Microsoft has applied the fix to the Microsoft Graph API. Verify through Microsoft 365 admin center. Advisory: MSRC — CVE-2026-47655

Recommendations

Audit Microsoft Graph API permissions. Review which applications and service principals have Graph API permissions in your Microsoft 365 tenant. Remove any unused or overly permissive permissions.

Review Graph API audit logs. Check the Microsoft 365 Unified Audit Log for unusual Graph API queries or data access patterns during the vulnerable period.

References

• Microsoft MSRC — CVE-2026-47655
• NVD: CVE-2026-47655
• Vulnerability Intelligence Report — June 5, 2026

This advisory is covered in the broader Vulnerability Intelligence Report — June 5, 2026.