Heads up: Microsoft Teams CVE-2026-33823 is rated 9.6 by Microsoft, 6.5 by NVD
Not trying to hype this one, but I would not ignore it if you run Teams in an enterprise tenant.
CVE-2026-33823 is an improper authorization bug in Microsoft Teams. Affected product is Microsoft Teams. The public write-up is still pretty thin, but the useful bits are:
- network attack vector
- low privileges required
- no user interaction
- high confidentiality impact
- Microsoft scores it 9.6 Critical
- NVD currently scores the same CVE as 6.5 Medium
NVD also marks this as an exclusively hosted service, so this may not be a normal "install this KB" kind of fix. My practical take for now:
- check the MSRC entry and Microsoft 365 admin center/service health for tenant guidance
- make sure Teams clients are current where you manage desktop/mobile clients
- review external access, guest access, and sensitive Teams/SharePoint permissions while details are limited
- keep an eye out for any follow-up from Microsoft that explains the 9.6 score
That last permissions review is not a CVE-specific patch, just blast-radius reduction until Microsoft publishes more detail.
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-33823 MSRC: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33823 FixTheCVE tracker: https://fixthecve.com/cve/CVE-2026-33823
Has anyone seen more concrete tenant guidance from Microsoft yet?