External risk intelligence

Microsoft Power Apps lets attackers steal control of apps and customer data

CVE advisorySeverity: CRITICAL (CVSS 9.0)

CVE-2026-26149

An internal attacker with access to Microsoft Power Apps can manipulate displayed information to impersonate trusted sources. This allows them to deceive staff into providing sensitive credentials or accessing unauthorized data, damaging the integrity of internal business operations.

2Halo Surface Signal

Microsoft Power Apps

before 3.26032.10.0

External exposure likelihood

Halo Surface Signal score for CVE-2026-26149

The vulnerability requires an attacker to possess authenticated access within an organization's internal enterprise environment. The issue affects internal data processing and business applications where the attacker must already be inside the network, making direct public internet exposure for this specific attack path uncommon.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in Microsoft Power Apps allows an attacker with existing access to potentially impersonate users by manipulating control sequences. This could lead to significant disruptions and loss of trust in applications.

  • It impacts authorized users within an organization.
  • Can lead to spoofed actions over a network.
  • Demands attention due to its critical severity.

Attack Path

How an attacker could exploit the issue

An attacker with existing authenticated access could abuse this flaw in Microsoft Power Apps to spoof information over a network. This could involve tricking users into believing malicious content is legitimate, potentially leading to further compromise.

  • Requires authenticated access.
  • Targets Power Apps user interface.
  • Relies on user interaction.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in Microsoft Power Apps allows an authorized attacker to perform network spoofing. The need for an attacker to already have authenticated access within an organization's internal network makes direct exploitation from the public internet less likely. However, once inside, an attacker could leverage this to impersonate legitimate actions.

  • Requires authenticated access.
  • No public exploit observed.
  • Recency is uncertain.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize monitoring and blocking of traffic targeting Microsoft Power Apps. Given the critical severity and potential for spoofing, investigate any unusual or unexpected Power Apps activity immediately. If exploit attempts are detected, consider isolating affected systems.

  • Review Power Apps logs for suspicious activity.
  • Block traffic from suspicious sources.
  • Apply vendor patches when available.

Frequently asked questions

What is CVE-2026-26149 affecting Microsoft Power Apps?

CVE-2026-26149 is a critical vulnerability in Microsoft Power Apps that allows an authorized attacker to perform spoofing over a network by improperly neutralizing escape, meta, or control sequences. This could lead to attackers impersonating legitimate actions or information within the application.

How does the improper neutralization of control sequences in Microsoft Power Apps lead to spoofing?

The weakness, identified as CWE-150, involves improper neutralization of escape, meta, or control sequences. This flaw enables an authorized attacker to manipulate how Power Apps processes certain characters or commands, leading to the presentation of misleading information or actions to users, effectively spoofing legitimate content.

What is the trigger path and scope of CVE-2026-26149 in Microsoft Power Apps?

The vulnerability can be triggered when an authorized attacker with existing authenticated access within an organization's network exploits improper handling of control sequences within Microsoft Power Apps. The scope is network-based, allowing for spoofing, and affects Power Apps versions up to, but not including, 3.26032.10.0 on Windows.

What is the relevance of CVE-2026-26149, considering the Halo Surface Signal?

While rated critical, the Halo Surface Signal indicates this vulnerability is 'Unlikely' to be exploited externally. This is because exploitation requires an attacker to already possess authenticated access within an organization's internal network, making direct exploitation from the public internet uncommon. However, for an attacker already inside, it can be leveraged for spoofing.

What practical steps should be taken in response to CVE-2026-26149?

Organizations should prioritize monitoring Power Apps for suspicious activity and consider blocking traffic from untrusted sources. Applying vendor patches provided by Microsoft is crucial. Reviewing Power Apps logs for any unusual or unexpected actions can help detect potential exploit attempts.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified