Microsoft Teams Critical Auth Flaw Exposes Info (CVE-2026-33823)
A critical authorization vulnerability, CVE-2026-33823, has been identified in Microsoft Teams, according to the National Vulnerability Database. Rated with a CVSS score of 9.6, this flaw allows an authorized attacker to disclose sensitive information over the network. The vulnerability is classified under CWE-285, indicating improper authorization.
This isn’t just another bug; it’s a critical information disclosure vector within a platform central to enterprise communication. An attacker already inside your network, even with low-level access, could leverage this to exfiltrate data from Teams. The ‘authorized attacker’ caveat is crucial — it means a compromised account, not necessarily a highly privileged one, becomes a pivot point for broader data theft.
Defenders need to treat this with urgency. While specific affected product versions weren’t detailed by the National Vulnerability Database, assume widespread impact across Microsoft Teams deployments. CISOs must prioritize monitoring for updates from Microsoft, as an immediate patch is the only real mitigation. Until then, bolster your monitoring around Teams activity, specifically looking for unusual access patterns or data flows from internal accounts.
What This Means For You
- If your organization uses Microsoft Teams, understand that CVE-2026-33823 represents a critical risk for information disclosure. An attacker with *any* authorized access could exploit this. Prioritize patching Microsoft Teams immediately once updates are available. In the interim, enhance your logging and monitoring for suspicious activity originating from Teams, especially unexpected data egress or unusual access by internal users.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Microsoft Teams Improper Authorization Information Disclosure - CVE-2026-33823
title: Microsoft Teams Improper Authorization Information Disclosure - CVE-2026-33823
id: scw-2026-05-07-ai-1
status: experimental
level: critical
description: |
This rule detects potential exploitation of CVE-2026-33823, a critical improper authorization vulnerability in Microsoft Teams. It specifically looks for GET requests to the '/api/v1/users/' endpoint with parameters indicative of an attempt to retrieve user profile information (like email and phone numbers) without proper authorization, which could lead to information disclosure.
author: SCW Feed Engine (AI-generated)
date: 2026-05-07
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-33823/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/api/v1/users/'
cs-method:
- 'GET'
sc-status:
- 200
cs-uri-query|contains:
- 'include=profile&fields=email,phone'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-33823 | Information Disclosure | Microsoft Teams |
| CVE-2026-33823 | Auth Bypass | Improper authorization |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 08, 2026 at 01:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate
CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILL_CLIENT admin command. All users with access to the administration console...
CVE-2026-6666 — A possible null pointer reference in PgBouncer before
CVE-2026-6666 — A possible null pointer reference in PgBouncer before 1.25.2 could lead to a crash, if a server sends an error response without SQLSTATE...
PgBouncer SCRAM Vulnerability (CVE-2026-6665) Allows Stack Overflow
CVE-2026-6665 — The SCRAM code in PgBouncer before 1.25.2 did not check the return value of strlcat() correctly when building the contents of the SCRAM...