On May 14, 2026, Microsoft disclosed CVE-2026-42897, a reported vulnerability affecting Exchange Outlook Web Access (OWA). An attacker could exploit this issue by sending a specially crafted email to a user. If the user opens the email in Outlook Web Access and certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context.
The following on-premises Exchange Server versions are impacted:
- Exchange Server 2016 (any update level)
- Exchange Server 2019 (any update level)
- Exchange Server Subscription Edition (SE) (any update level)
Exchange Online is not impacted by this vulnerability.
Mitigations
Option 1 (recommended): Exchange Emergency Mitigation (EM) Service
For customers who have the Exchange EM Service enabled, Microsoft released the automatic mitigation for Exchange Server 2016, 2019 and SE. The mitigation is already published and is enabled automatically.
As a reminder – EM Service was released in September 2021 and is enabled by default. More information on this service can be found in Exchange Emergency Mitigation Service (Exchange EM Service) | Microsoft Learn.
Customers with EM Service enabled can verify that their servers have applied the mitigation for CVE-2026-42897 (the ID of mitigation is M2.1.x) by doing the following:
- Follow the steps outlined in the documentation: Viewing Applied Mitigations.
- To quickly check the status of EM Service and applied mitigations in your organization, you can run Exchange Health Checker script: https://aka.ms/ExchangeHealthChecker. The HTML report will include a section on EEMS check results.
Using EM Service is the best way for your organization to mitigate this vulnerability right away. If you have EM Service currently disabled, we recommend you enable it right away.
Please note that EM Service will not be able to check for new mitigations if your server is running Exchange Server version older than March 2023 as per this article. To check the exact version of Exchange currently in use, utilize Option 1 or Option 2 mentioned on this page: Exchange Server build numbers and release dates | Microsoft Learn.
Option 2: Scripted application of mitigation
For customers who are unable to use the EM Service (for example, disconnected or air-gapped environments), we are providing the following process to enable this mitigation:
- Download the latest version of the Exchange on-premises Mitigation Tool (EOMT) from:
- Apply the mitigation on a per server base or on all servers at once by running the script via an elevated Exchange Management Shell (EMS):
Single server:
.\EOMT.ps1 -CVE "CVE-2026-42897"
All servers:
Get-ExchangeServer | Where-Object { $_.ServerRole -ne "Edge" } | .\EOMT.ps1 -CVE "CVE-2026-42897"
Known issues when mitigation is applied
We are aware of following known issues once CVE-2026-42897 mitigation is applied (using either option above):
- OWA Print Calendar functionality might not work. As a workaround copy the data or screenshot the calendar you want to print or use Outlook Desktop client.
-
Inline images might not display correctly in the recipients OWA reading pane. As a workaround, send images as email attachments or use Outlook Desktop client.
- OWA light (OWA URL ending in /?layout=light) does not work properly. Please note that this feature has been deprecated several years ago and is not intended for regular production use.
- We are aware of the mitigation showing the "Mitigation invalid for this exchange version." in mitigation details. This issue is cosmetic and the mitigation DOES apply successfully if the status is shown as "Applied". We are investigating on how to address this.
Addressing the vulnerability permanently
Microsoft is working on and will release and announce a security update for impacted versions of Exchange Server in the future. Update will be released for Exchange SE RTM, Exchange 2016 CU23, Exchange Server 2019 CU14 and CU15 (if you are running older CU versions, please update now).
Please note that Exchange SE update will be released as a publicly available security update. Exchange 2016 and 2019 updates will be released only to customers who are enrolled in the Period 2 Exchange Server ESU program as per Announcing Period 2 Exchange 2016/2019 Extended Security Update (ESU) program. Period 1 only ESU customers will not receive this update as that ESU program ended in April 2026.
Updates to this blog post:
- 5/14/2026: Added a known issue with OWA Light.
- 5/14/2026: Added the mitigation ID (M2.1.x)
- 5/14/2026: Added a known issue with mitigation details displaying incorrect Description.
The Exchange Server Team
