AI description
Automated description summarized from trusted sources.
CVE-2026-41100 describes an improper access control vulnerability found in Microsoft 365 Copilot for Android. This flaw allows an authorized attacker to perform local spoofing. The vulnerability is associated with a development flag that was inadvertently left active in the production code of several Microsoft 365 Android applications. This oversight could enable an unauthorized application on the same device to access Microsoft account tokens, potentially leading to spoofing.
- Description
- Improper access control in M365 Copilot allows an authorized attacker to perform spoofing locally.
- Source
- secure@microsoft.com
- NVD status
- Analyzed
- Products
- 365_copilot
CVSS 3.1
- Type
- Primary
- Base score
- 4.4
- Impact score
- 2.5
- Exploitability score
- 1.8
- Vector string
- CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
- Severity
- MEDIUM
- secure@microsoft.com
- CWE-284
- nvd@nist.gov
- NVD-CWE-Other
- Hype score
- Not currently trending
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:microsoft:365_copilot:*:*:*:*:*:android:*:*",
"matchCriteriaId": "71B289C6-6C8F-4217-AA2A-06931EE86372",
"versionEndExcluding": "16.0.19822.20190",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]