Addressing Exchange Server May 2026 vulnerability CVE-2026-42897

UPDATE June 9, 2026: Please see our release blog post for June 2026 Security Update for more information on this CVE: Released: June 2026 Exchange Server Security Updates | Microsoft Community Hub.

On May 14, 2026, Microsoft disclosed CVE-2026-42897, a reported vulnerability affecting Exchange Outlook Web Access (OWA). An attacker could exploit this issue by sending a specially crafted email to a user. If the user opens the email in Outlook Web Access and certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context.

The following on-premises Exchange Server versions are impacted:

• Exchange Server 2016 (any update level)
• Exchange Server 2019 (any update level)
• Exchange Server Subscription Edition (SE) (any update level)

Exchange Online is not impacted by this vulnerability.

Mitigations

Option 1 (recommended): Exchange Emergency Mitigation (EM) Service

For customers who have the Exchange EM Service enabled, Microsoft released the automatic mitigation for Exchange Server 2016, 2019 and SE. The mitigation is already published and is enabled automatically.

As a reminder – EM Service was released in September 2021 and is enabled by default. More information on this service can be found in Exchange Emergency Mitigation Service (Exchange EM Service) | Microsoft Learn.

Customers with EM Service enabled can verify that their servers have applied the mitigation for CVE-2026-42897 (the ID of mitigation is M2.1.x) by doing the following:

• Follow the steps outlined in the documentation: Viewing Applied Mitigations.
• To quickly check the status of EM Service and applied mitigations in your organization, you can run Exchange Health Checker script: https://aka.ms/ExchangeHealthChecker. The HTML report will include a section on EEMS check results.

Using EM Service is the best way for your organization to mitigate this vulnerability right away. If you have EM Service currently disabled, we recommend you enable it right away.

Please note that EM Service will not be able to check for new mitigations if your server is running Exchange Server version older than March 2023 as per this article. To check the exact version of Exchange currently in use, utilize Option 1 or Option 2 mentioned on this page: Exchange Server build numbers and release dates | Microsoft Learn.

Option 2: Scripted application of mitigation

For customers who are unable to use the EM Service (for example, disconnected or air-gapped environments), we are providing the following process to enable this mitigation:

1. Download the latest version of the Exchange on-premises Mitigation Tool (EOMT) from:

https://aka.ms/UnifiedEOMT

2. Apply the mitigation on a per server base or on all servers at once by running the script via an elevated Exchange Management Shell (EMS):

Single server:

.\EOMT.ps1 -CVE "CVE-2026-42897"

All servers:

Get-ExchangeServer | Where-Object { $_.ServerRole -ne "Edge" } | .\EOMT.ps1 -CVE "CVE-2026-42897"

Please note that mitigations do not work if the client that is used to access OWA is Internet Explorer or Microsoft Edge using Internet Explorer Mode. Internet Explorer does not support Content Security Policy (CSP).

Known issues when mitigation is applied

We are aware of following known issues once CVE-2026-42897 mitigation is applied (using either option above):

• OWA Print Calendar functionality might not work. As a workaround copy the data or screenshot the calendar you want to print or use Outlook Desktop client.

• Inline images might not display correctly in the recipients OWA reading pane. As a workaround, send images as email attachments or use Outlook Desktop client.

• OWA light (OWA URL ending in /?layout=light) does not work properly. Please note that this feature has been deprecated several years ago and is not intended for regular production use.

• OWACalendar.Proxy healthset might start showing unhealthy once the mitigation is in effect. This can cause alerts if you use various monitoring solutions for your Exchange Server. If you see this problem, we recommend ignoring those alerts within your monitoring platform until the fix is out and mitigation is removed.

• Published calendars might not work with error 500.
• We are aware of the mitigation showing the "Mitigation invalid for this exchange version." in mitigation details. This issue is cosmetic and the mitigation DOES apply successfully if the status is shown as "Applied". We are investigating on how to address this.

Addressing the vulnerability permanently

Microsoft is working on and will release and announce a security update for impacted versions of Exchange Server in the future. Please read more about the update released: Released: June 2026 Exchange Server Security Updates | Microsoft Community Hub.

Please note that Exchange SE update will be released as a publicly available security update. Exchange 2016 and 2019 updates will be released only to customers who are enrolled in the Period 2 Exchange Server ESU program as per Announcing Period 2 Exchange 2016/2019 Extended Security Update (ESU) program. .

Updates to this blog post:

• 6/9/2026: Update to reflect Released: June 2026 Exchange Server Security Updates | Microsoft Community Hub
• 5/20/2026: Added a published calendars known issue.
• 5/18/2026: Added a note that mitigations do not protect Internet Explorer or Microsoft Edge with Internet Explorer mode clients.
• 5/17/2026: Added a known issue with OWACalendar.Proxy healthset showing unhelathy (impact if using Exchange Server monitoring).
• 5/14/2026: Added a known issue with OWA Light. 
• 5/14/2026: Added the mitigation ID (M2.1.x).
• 5/14/2026: Added a known issue with mitigation details displaying incorrect Description. 

The Exchange Server Team