{"schema_version":"1.0","report_url":"https://aretiq.ai/research/vul260622-cve-2026-45502-microsoft-exchange-server-ews-installapp-server-side-request-forgery/","date":"2026-06-22","last_modified":"2026-06-22","cve":"CVE-2026-45502","title":"CVE-2026-45502 — Microsoft Exchange Server EWS InstallApp Server-Side Request Forgery","vulnerability_name":"Microsoft Exchange Server EWS InstallApp Server-Side Request Forgery","vendor":"Microsoft","product":"Exchange Server","component":"Exchange Web Services (EWS) — InstallApp SOAP Operation","binary":"Microsoft.Exchange.Data.ApplicationLogic.dll","impact":"Info Disclosure","cwe":["CWE-918","CWE-863"],"severity":{"cvss_v4_score":2.3,"cvss_v4_vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N/E:P"},"attack_vector":"Network","patch_kb":"KB5094139","poc_verified":true,"poc_download":"https://aretiq.ai/downloads/","tags":["cve-2026-45502","exchange","ews","ssrf","installapp","microsoft","mail-server","information-disclosure"],"summary":"1. Overview A server-side request forgery (SSRF) vulnerability exists in Microsoft Exchange Server’s Exchange Web Services (EWS) InstallApp operation. When an authenticated user submits a ManifestUrl parameter via the InstallApp SOAP request, Exchange downloads the manifest from the supplied URL. The intranet address check that prevents SSRF is gated on the isBposUser flag, which is false for all on-premises Exchange deployments. This means the check is bypassed entirely in non-cloud environments, allowing an authenticated user to force the Exchange server to make HTTP requests to arbitrary internal or external URLs. Microsoft addressed this vulnerability in the June 2026 security update (KB5094139).\n"}