ctipilot.ch

Microsoft 365 Copilot for Android OAuth-token theft via production debug flag (CVSS 4.4); patched 2026-05-12

cve · CVE-2026-41100

Coverage timeline
1
first 2026-06-04 → last 2026-06-04
Peak priority
notable
1 notable
Sources cited
2
2 hosts
Sections touched
1
research
Co-occurring entities
3
see Related entities below
ATT&CK techniques
0
no mapped behavior yet

Story timeline

  1. 2026-06-04Enclave: a single debug flag left on in six Microsoft 365 Android apps allowed silent OAuth-token theft
    research

Where this entity is cited

  • research1

Source distribution

  • securityweek.com1 (50%)
  • thehackernews.com1 (50%)

Co-occurring entities

Derived — referenced by the same focused operational entries (weekly summaries and report roundups don't count); ×N counts the shared entries.

Entries about Microsoft 365 Copilot for Android OAuth-token theft via production debug flag (CVSS 4.4); patched 2026-05-12 (1)

2026-06-04 · view entry permalink →

Enclave: a single debug flag left on in six Microsoft 365 Android apps allowed silent OAuth-token theft

Researchers at Enclave found a shared Android SDK across six Microsoft 365 apps shipped setIsDebugMode(true) in production, disabling the AccountManager check that restricts token sharing to trusted Microsoft apps — so any co-installed third-party app could silently obtain long-lived OAuth tokens for the signed-in Microsoft identity with no prompt (SecurityWeek, 2026-06-02 · The Hacker News, 2026-06-03). Affected: Word (CVE-2026-41101), PowerPoint (CVE-2026-41102), Excel (CVE-2026-42832), Microsoft 365 Copilot (CVE-2026-41100), Loop and OneNote — collectively billions of installs; Teams was unaffected because its flag was correctly false. Tokens granted read/write to Exchange mail, OneDrive and Calendar. Microsoft fixed all six in the 12 May 2026 cycle; no ITW reported pre-patch. Enforce minimum-version compliance for these apps via Intune/MDM on BYOD fleets and, where logs exist, review AccountManager token requests from non-Microsoft packages.

research04 Jun 05:00Zmulti-sourceOpen finding ↗