{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-20960", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2025-12-04T20:04:16.340Z", "datePublished": "2026-01-16T21:28:10.895Z", "dateUpdated": "2026-04-01T13:49:02.368Z"}, "containers": {"cna": {"title": "PowerApps Desktop Client Remote Code Execution Vulnerability", "datePublic": "2026-01-16T16:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:power_apps_desktop_client:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.0.0", "versionEndExcluding": "25121"}]}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft Power Apps Desktop Client", "versions": [{"version": "1.0.0", "lessThan": "25121", "versionType": "custom", "status": "affected"}]}], "descriptions": [{"value": "Improper authorization in Microsoft Power Apps allows an authorized attacker to execute code over a network.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-285: Improper Authorization", "lang": "en-US", "type": "CWE", "cweId": "CWE-285"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-04-01T13:49:02.368Z"}, "references": [{"name": "PowerApps Desktop Client Remote Code Execution Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20960"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "HIGH", "baseScore": 8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-16T21:49:22.024257Z", "id": "CVE-2026-20960", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-16T21:49:30.447Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-20960", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-16T21:49:22.024257Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-16T21:49:26.640Z"}}], "cna": {"title": "PowerApps Desktop Client Remote Code Execution Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft Power Apps Desktop Client", "versions": [{"status": "affected", "version": "1.0.0", "lessThan": "25121", "versionType": "custom"}]}], "datePublic": "2026-01-16T16:00:00.000Z", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20960", "name": "PowerApps Desktop Client Remote Code Execution Vulnerability", "tags": ["vendor-advisory", "patch"]}], "descriptions": [{"lang": "en-US", "value": "Improper authorization in Microsoft Power Apps allows an authorized attacker to execute code over a network."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-285", "description": "CWE-285: Improper Authorization"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:power_apps_desktop_client:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "25121", "versionStartIncluding": "1.0.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-04-01T13:49:02.368Z"}}}, "cveMetadata": {"cveId": "CVE-2026-20960", "state": "PUBLISHED", "dateUpdated": "2026-04-01T13:49:02.368Z", "dateReserved": "2025-12-04T20:04:16.340Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2026-01-16T21:28:10.895Z", "assignerShortName": "microsoft"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:power_apps:*:*:*:*:*:windows:*:*", "matchCriteriaId": "423B0F12-FF16-46E8-BE55-4ED350A963EE", "versionEndExcluding": "3.25121", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper authorization in Microsoft Power Apps allows an authorized attacker to execute code over a network."}], "id": "CVE-2026-20960", "lastModified": "2026-02-12T18:37:37.203", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.9, "source": "secure@microsoft.com", "type": "Secondary"}]}, "published": "2026-01-16T22:16:25.553", "references": [{"source": "secure@microsoft.com", "tags": ["Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20960"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}], "source": "secure@microsoft.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T18:05:23.658858+00:00", "value": {"mitigation_remediation": ["Apply any available Microsoft Power Apps Desktop Client update or patch that addresses the authorization flaw.", "Restrict network access to the application by configuring firewall or network segmentation rules to limit the paths an attacker could use to deploy code remotely.", "Enforce the principle of least privilege for all users of Power Apps, ensuring that only the necessary permissions are granted and monitoring for any privilege escalation activity."], "summary": {"action": "Assess Impact", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "All Windows installations of Microsoft Power Apps Desktop Client are affected. Exact version numbers are not disclosed in the advisory, so any deployment of the desktop client should be examined for the presence of the vulnerability.", "description_and_impact": "Microsoft Power Apps Desktop Client has an issue where an authorized user can gain authorization privileges that allow the execution of arbitrary code across a network. The flaw is an improper authorization weakness that enables a malicious actor who already has authenticated access to the application to bypass normal privilege checks and run code with elevated rights, potentially compromising data confidentiality, system integrity, and availability. The weakness is specifically mapped to improper authorization and insufficient permission checks.", "risk_and_exploitability": "The CVSS score of 8.0 indicates high severity, but the EPSS score is below 1%, suggesting that the likelihood of exploitation by attackers at this time is very low. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector appears to be remote over a network, requiring an attacker to already be authenticated to the application. Exploitation would involve leveraging successful authorization bypass to spawn or execute code on the target system, potentially enabling a full compromise of the user\u2019s environment."}}}}, "created": "2026-04-16T18:15:43.292199+00:00", "updated": "2026-04-16T18:15:43.292213+00:00", "vendors": []}