AI description
Automated description summarized from trusted sources.
CVE-2026-41101 is an improper access control vulnerability affecting Microsoft Office Word for Android. This flaw allows an authorized local attacker to perform spoofing. The vulnerability stems from a debug flag mistakenly left active in the production code of several Microsoft 365 Android applications, including Word. This misconfiguration bypassed security checks designed to prevent untrusted applications from receiving Microsoft account tokens. Consequently, another app already installed on the same Android device could request and obtain these tokens without requiring user interaction, potentially granting access to sensitive user data such as emails, files, and documents.
- Description
- Improper access control in Microsoft Office Word allows an authorized attacker to perform spoofing locally.
- Source
- secure@microsoft.com
- NVD status
- Analyzed
- Products
- word
CVSS 3.1
- Type
- Primary
- Base score
- 5.5
- Impact score
- 3.6
- Exploitability score
- 1.8
- Vector string
- CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
- Severity
- MEDIUM
- secure@microsoft.com
- CWE-284
- nvd@nist.gov
- NVD-CWE-noinfo
- Hype score
- Not currently trending
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:microsoft:word:*:*:*:*:*:android:*:*",
"matchCriteriaId": "8299056B-8884-4A3E-B91F-3E69AB135AF8",
"versionEndExcluding": "16.0.19822.20190",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]