Back

Microsoft 365 Android Apps Vulnerability Exposes User Accounts to Takeover

Severity: High (Score: 72.0)

Sources: Feeds.4Sysops, enclave.ai, msrc.microsoft.com, Cybersecuritynews, Darkreading

Published: 2026-06-03 · Updated: 2026-06-03

Keywords: android, microsoft, flag, account, takeover, development, left

Severity indicators: ot

Summary

A coding error in Microsoft 365 Android applications allowed unauthorized apps to access user account tokens, leading to potential account takeovers. This vulnerability, known as FlagLeft, was due to a debug flag left enabled in production code across six major apps, including Word and Excel. Attackers could exploit this by installing a malicious app on the same device, which could silently request and receive Microsoft account tokens without user consent. The issue affected billions of users, as any app on the device could gain access to sensitive information like emails and files. Microsoft has since patched the vulnerability, and users are urged to update their apps immediately. The vulnerability was associated with CVEs published on May 12, 2026. Key Points: • A debug flag in Microsoft 365 Android apps allowed unauthorized access to user tokens. • The vulnerability, dubbed FlagLeft, affected billions of users across six major apps. • Microsoft has released patches; users must update their apps to mitigate the risk.

Detailed Analysis

**Impact** Billions of Microsoft 365 Android app users worldwide were exposed to account takeover risks due to a vulnerability affecting six major apps: Word, PowerPoint, Excel, OneNote, Loop, and Microsoft 365 Copilot. Attackers could silently access and misuse authentication tokens to read emails, send messages, access files, and view calendars without user interaction or consent. This impacts both individual users and organizations relying on Microsoft 365 services across multiple sectors and geographies. **Technical Details** A debug flag ("isDebugMode") was mistakenly left enabled in production code within a shared Microsoft SDK, disabling identity verification for cross-app token sharing. This allowed any app on the same Android device to request and receive Microsoft 365 authentication tokens without validation, bypassing security controls. The vulnerability is tracked under CVE-2026-41100, CVE-2026-41101, CVE-2026-41102, and CVE-2026-42832. Exploitation requires only an untrusted app silently requesting tokens, enabling account takeover at the token acquisition stage of the kill chain. **Recommended Response** Apply Microsoft’s security updates immediately to all affected Microsoft 365 Android apps: Word, PowerPoint, Excel, OneNote, Loop, and Microsoft 365 Copilot. Monitor for unauthorized token requests and unusual account activity indicative of token misuse. Harden app configurations to ensure debug flags are disabled in production builds and validate cross-app token requests. Organizations managing Android devices should enforce patch deployment and audit installed applications for potential malicious token-requesting apps.

Source articles (7)

  • Microsoft 365 Android Apps Account Takeover Vulnerability Impacted Billions of Android Users — Cybersecuritynews · 2026-06-03
    A single forgotten development flag left active in production code silently handed Microsoft account tokens to any app on an Android device, exposing billions of users across six major Microsoft 365 a…
  • Coding Gaffe Exposes Microsoft 365 Accounts to Widespread Takeover — Darkreading · 2026-06-03
    A disabled security setting meant to protect authentication across Android versions of key apps like Word, PowerPoint, and Excel paved the way for attackers to steal logins and data. A coding mistake…
  • Flagleft Microsoft 365 Android Forgotten Flag Account Takeover — enclave.ai · 2026-06-03
    How a development flag left in production allowed any app on an Android device to silently take over a Microsoft account. A development flag left in production allowed any app on an Android device to…
  • Microsoft 365 Android apps exposed account tokens via debug flag — Feeds.4Sysops · 2026-06-03
    A development flag accidentally left active in several Microsoft 365 Android applications allowed unauthorized apps to bypass security checks and harvest account access tokens. This vulnerability, dub…
  • CVE-2026-41100 — msrc.microsoft.com · 2026-06-03
  • CVE-2026-41101 — msrc.microsoft.com · 2026-06-03
  • CVE-2026-41102 — msrc.microsoft.com · 2026-06-03

Timeline

  • 2026-05-12 — CVE-2026-41102 published: Microsoft disclosed vulnerabilities affecting Microsoft 365 Android apps, including the FlagLeft issue.
  • 2026-05-12 — CVE-2026-42832 published: Multiple vulnerabilities in Microsoft 365 Android apps were documented, including token exposure risks.
  • 2026-05-12 — CVE-2026-41101 published: Microsoft identified critical vulnerabilities in its Android applications that could lead to account takeovers.
  • 2026-05-12 — CVE-2026-41100 published: A series of vulnerabilities were disclosed by Microsoft, highlighting security flaws in their Android apps.
  • 2026-06-03 — Vulnerability patched: Microsoft released updates to address the FlagLeft vulnerability in its Android apps; users advised to update immediately.

CVEs

  • CVE-2026-41100
  • CVE-2026-41101
  • CVE-2026-41102
  • CVE-2026-42832

Related entities

  • Data Breach (Attack Type)
  • Enclave (Company)
  • Microsoft (Company)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • CWE-287 - Improper Authentication (Cwe)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • Android (Platform)
  • FlagLeft (Vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed