{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26149", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2026-02-11T16:24:51.135Z", "datePublished": "2026-04-14T16:56:57.430Z", "dateUpdated": "2026-05-12T17:37:53.609Z"}, "containers": {"cna": {"title": "Microsoft Power Apps Desktop Client Spoofing Vulnerability", "datePublic": "2026-04-14T14:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:power_apps_desktop_client:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.0.0", "versionEndExcluding": "3.26032.10.0"}]}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft Power Apps Desktop Client", "versions": [{"version": "1.0.0", "lessThan": "3.26032.10.0", "versionType": "custom", "status": "affected"}]}], "descriptions": [{"value": "Improper neutralization of escape, meta, or control sequences in Microsoft Power Apps allows an authorized attacker to perform spoofing over a network.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences", "lang": "en-US", "type": "CWE", "cweId": "CWE-150"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-05-12T17:37:53.609Z"}, "references": [{"name": "Microsoft Power Apps Desktop Client Spoofing Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26149"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "CRITICAL", "baseScore": 9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:T/RC:C"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-26149"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T03:56:56.219Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26149", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-14T17:58:28.009451Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T17:58:31.045Z"}}], "cna": {"title": "Microsoft Power Apps Desktop Client Spoofing Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 9, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:T/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft Power Apps Desktop Client", "versions": [{"status": "affected", "version": "1.0.0", "lessThan": "3.26032.10.0", "versionType": "custom"}]}], "datePublic": "2026-04-14T14:00:00.000Z", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26149", "name": "Microsoft Power Apps Desktop Client Spoofing Vulnerability", "tags": ["vendor-advisory", "patch"]}], "descriptions": [{"lang": "en-US", "value": "Improper neutralization of escape, meta, or control sequences in Microsoft Power Apps allows an authorized attacker to perform spoofing over a network."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-150", "description": "CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:power_apps_desktop_client:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "3.26032.10.0", "versionStartIncluding": "1.0.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-05-12T17:37:53.609Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26149", "state": "PUBLISHED", "dateUpdated": "2026-05-12T17:37:53.609Z", "dateReserved": "2026-02-11T16:24:51.135Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2026-04-14T16:56:57.430Z", "assignerShortName": "microsoft"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:power_apps:*:*:*:*:*:windows:*:*", "matchCriteriaId": "DFFF6D46-6068-4B5C-BAAE-0DBB907BC173", "versionEndExcluding": "3.26032.10.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper neutralization of escape, meta, or control sequences in Microsoft Power Apps allows an authorized attacker to perform spoofing over a network."}], "id": "CVE-2026-26149", "lastModified": "2026-05-07T20:06:17.310", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "secure@microsoft.com", "type": "Secondary"}]}, "published": "2026-04-14T18:16:45.790", "references": [{"source": "secure@microsoft.com", "tags": ["Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26149"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-150"}], "source": "secure@microsoft.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[1710 (9.2.23071.136),3.26032.10.0)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Microsoft Power Apps", "source": "cna", "vendor": "Microsoft"}, "product": "power-apps", "vendor": "microsoft"}], "analysis": {"en": {"generated_at": "2026-04-21T00:07:18.144584+00:00", "value": {"mitigation_remediation": ["Check the Microsoft security portal for the latest patch or mitigation guidance.", "Apply any released update for Power Apps as soon as it becomes available.", "Restrict or monitor the privileges of users who have access to the affected Power Apps features until a patch is applied.", "Consider implementing additional input validation to neutralize escape and control sequences as a temporary safeguard."], "summary": {"action": "Immediate Patch", "impact": "Spoofing"}, "threat_synthesis": {"affected_systems": "Microsoft Power Apps is the affected product. No specific application version is listed, so all deployments of Microsoft Power Apps could be at risk.", "description_and_impact": "Improper neutralization of escape, meta, or control sequences in Microsoft Power Apps allows an authorized attacker to perform spoofing over a network. This flaw, classified as CWE\u2011150, can let an attacker impersonate legitimate users or misrepresent actions, undermining trust.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 9, indicating high severity, and an EPSS score of < 1%, reflecting a very low but non\u2011zero likelihood that it will be exploited in the wild. It is not listed in the CISA KEV catalog. The attack vector is inferred to be over a network, requiring the attacker to be an authenticated user who can submit crafted input to neutralize security controls."}}}}, "created": "2026-04-15T14:31:56.926692+00:00", "updated": "2026-04-21T00:15:16.122889+00:00", "vendors": ["microsoft", "microsoft$PRODUCT$power-apps"]}