CVE-2026-41101

Published May 12, 2026

Last updated 2 months ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-41101 is an improper access control vulnerability affecting Microsoft Office Word for Android. This flaw allows an authorized local attacker to perform spoofing. The vulnerability stems from a debug flag mistakenly left active in the production code of several Microsoft 365 Android applications, including Word. This misconfiguration bypassed security checks designed to prevent untrusted applications from receiving Microsoft account tokens. Consequently, another app already installed on the same Android device could request and obtain these tokens without requiring user interaction, potentially granting access to sensitive user data such as emails, files, and documents.

Description
Improper access control in Microsoft Office Word allows an authorized attacker to perform spoofing locally.
Source
secure@microsoft.com
NVD status
Analyzed
Products
word

Risk scores

CVSS 3.1

Type
Primary
Base score
5.5
Impact score
3.6
Exploitability score
1.8
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Severity
MEDIUM

Weaknesses

secure@microsoft.com
CWE-284
nvd@nist.gov
NVD-CWE-noinfo

Social media

Hype score
Not currently trending

Configurations

References

Sources include official advisories and independent security research.