{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32172", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2026-03-10T23:09:43.266Z", "datePublished": "2026-04-23T21:37:42.706Z", "dateUpdated": "2026-05-12T17:39:56.182Z"}, "containers": {"cna": {"title": "Microsoft Power Apps Remote Code Execution Vulnerability", "datePublic": "2026-04-23T14:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:power-apps:*:*:*:*:*:*:*:*", "versionStartIncluding": "-"}]}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft Power Apps", "versions": [{"version": "-", "status": "affected"}]}], "descriptions": [{"value": "Uncontrolled search path element in Microsoft Power Apps allows an unauthorized attacker to execute code over a network.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-427: Uncontrolled Search Path Element", "lang": "en-US", "type": "CWE", "cweId": "CWE-427"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-05-12T17:39:56.182Z"}, "references": [{"name": "Microsoft Power Apps Remote Code Execution Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32172"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "HIGH", "baseScore": 8, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N/E:U/RL:O/RC:C"}}], "tags": ["exclusively-hosted-service"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-24T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-32172"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-25T03:55:47.811Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32172", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-24T14:51:21.309994Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T14:55:06.909Z"}}], "cna": {"tags": ["exclusively-hosted-service"], "title": "Microsoft Power Apps Remote Code Execution Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N/E:U/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft Power Apps", "versions": [{"status": "affected", "version": "-"}]}], "datePublic": "2026-04-23T14:00:00.000Z", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32172", "name": "Microsoft Power Apps Remote Code Execution Vulnerability", "tags": ["vendor-advisory", "patch"]}], "descriptions": [{"lang": "en-US", "value": "Uncontrolled search path element in Microsoft Power Apps allows an unauthorized attacker to execute code over a network."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-427", "description": "CWE-427: Uncontrolled Search Path Element"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:power-apps:*:*:*:*:*:*:*:*", "vulnerable": true, "versionStartIncluding": "-"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-05-12T17:39:56.182Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32172", "state": "PUBLISHED", "dateUpdated": "2026-05-12T17:39:56.182Z", "dateReserved": "2026-03-10T23:09:43.266Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2026-04-23T21:37:42.706Z", "assignerShortName": "microsoft"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:power_apps:-:*:*:*:*:-:*:*", "matchCriteriaId": "2E54A718-D0E9-4F6C-9B1A-2AD79774A8F1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "secure@microsoft.com", "tags": ["exclusively-hosted-service"]}], "descriptions": [{"lang": "en", "value": "Uncontrolled search path element in Microsoft Power Apps allows an unauthorized attacker to execute code over a network."}], "id": "CVE-2026-32172", "lastModified": "2026-04-29T19:11:12.690", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.8, "source": "secure@microsoft.com", "type": "Secondary"}]}, "published": "2026-04-23T22:16:33.720", "references": [{"source": "secure@microsoft.com", "tags": ["Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32172"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-427"}], "source": "secure@microsoft.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Microsoft Power Apps", "source": "cna", "vendor": "Microsoft"}, "product": "power-apps", "vendor": "microsoft"}], "analysis": {"en": {"generated_at": "2026-04-28T07:21:55.475885+00:00", "value": {"mitigation_remediation": ["Apply the Microsoft patch for CVE\u20112026\u201132172 as released by Microsoft Security Response Center.", "Upgrade Microsoft Power Apps to the latest version that includes the fix.", "Restrict network access to the Power Apps service to trusted IP ranges or a VPN to limit exposure to the vulnerability."], "summary": {"action": "Patch Now", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Microsoft Power Apps. No specific version information is provided, so all current releases are potentially vulnerable until a patch is applied.", "description_and_impact": "This vulnerability arises from an uncontrolled search path element that Microsoft Power Apps does not validate. It permits an unauthorized attacker who can reach the application over a network to execute arbitrary code on the host system. The weakness is classified as CWE\u2011427, indicating a failure to control the execution path. Exploitation would compromise the integrity and availability of the affected environment and could lead to full system compromise.", "risk_and_exploitability": "The CVSS base score of 8 signals high severity. The EPSS score of less than 1% indicates a low current exploitation likelihood, and the vulnerability is not listed in the CISA KEV catalog. The description suggests the likely attack vector is a network\u2011remote connection, requiring the attacker to connect to the Power Apps instance. No privileged escalation is stated, so an unauthenticated or low\u2011privilege attacker could potentially exploit the flaw if network access is granted."}}}}, "created": "2026-04-27T21:15:05.350650+00:00", "updated": "2026-04-28T07:30:26.327959+00:00", "vendors": ["microsoft", "microsoft$PRODUCT$power-apps"]}