Microsoft Word for Android OAuth-token theft via production debug flag (CVSS 7.1); patched 2026-05-12

cve · CVE-2026-41101

Coverage timeline

first 2026-06-04 → last 2026-06-04

Briefs

1 distinct

Sources cited

210

82 hosts

Sections touched

—

Co-occurring entities

see Related entities below

Story timeline

2026-06-04CTI Daily Brief — 2026-06-04

Source distribution

attack.mitre.org34 (16%)
thehackernews.com18 (9%)
microsoft.com14 (7%)
msrc.microsoft.com13 (6%)
bleepingcomputer.com9 (4%)
helpnetsecurity.com7 (3%)
github.com5 (2%)
security-hub.ncsc.admin.ch5 (2%)
other105 (50%)

Related entities

Google Threat Intelligence Group AI Threat Tracker (May 2026) — first AI-generated zero-day exploit ITW; AI-augmented malware (CANFAIL, LONGSTREAM, PROMPTFLUX, HONESTCUE); state-actor Gemini abuse (UNC2814, APT45, APT27, UNC5673)
annual-reportannual-report:gtig-ai-threat-tracker-may-2026×1
M365 Android debug flag (setIsDebugMode) enables silent OAuth-token theft across 6 apps
vulnerability-trenditem:m365-android-debug-flag-oauth-theft-2026×1
Microsoft 365 Copilot for Android OAuth-token theft via production debug flag (CVSS 4.4); patched 2026-05-12
cveCVE-2026-41100×1
Microsoft DCU disrupts Fox Tempest MSaaS — 1,000+ Artifact Signing certs revoked; SDNY court order; downstream Rhysida, INC, Qilin, Akira + Vanilla Tempest, Storm-0501 / 2561 / 0249
incidentitem:microsoft-dcu-disrupts-fox-tempest-malware-signing-as-a-servi×1
Microsoft Defender Experts — AI-chatbot search-poisoning extends SEO lure; GPU-utility lookalikes drop ScreenConnect, then process-hollowed miners (gminer/lolMiner/SRBMiner-MULTI) under signed Microsoft binary
campaignitem:microsoft-ai-chatbot-search-poisoning-cryptojacking-screenconnect-process-hollowing×1
Microsoft Excel for Android OAuth-token theft via setIsDebugMode(true) debug flag left in production (CVSS 7.7); patched 2026-05-12
cveCVE-2026-42832×1
Microsoft MDASH — multi-model agentic vulnerability-discovery harness, 16 Windows CVEs found in network-stack kernel components
toolresearch:microsoft-mdash-2026×1
Microsoft PowerPoint for Android OAuth-token theft via production debug flag (CVSS 7.1); patched 2026-05-12
cveCVE-2026-41102×1

External references

NVD · cve.org · CISA KEV

All cited sources (210)

Items in briefs about Microsoft Word for Android OAuth-token theft via production debug flag (CVSS 7.1); patched 2026-05-12 (1)

Enclave: a single debug flag left on in six Microsoft 365 Android apps allowed silent OAuth-token theft

From CTI Daily Brief — 2026-06-04 · published 2026-06-04 · view item permalink →

Researchers at Enclave found a shared Android SDK across six Microsoft 365 apps shipped setIsDebugMode(true) in production, disabling the AccountManager check that restricts token sharing to trusted Microsoft apps — so any co-installed third-party app could silently obtain long-lived OAuth tokens for the signed-in Microsoft identity with no prompt (SecurityWeek, 2026-06-02 · The Hacker News, 2026-06-03). Affected: Word (CVE-2026-41101), PowerPoint (CVE-2026-41102), Excel (CVE-2026-42832), Microsoft 365 Copilot (CVE-2026-41100), Loop and OneNote — collectively billions of installs; Teams was unaffected because its flag was correctly false. Tokens granted read/write to Exchange mail, OneDrive and Calendar. Microsoft fixed all six in the 12 May 2026 cycle; no ITW reported pre-patch. Enforce minimum-version compliance for these apps via Intune/MDM on BYOD fleets and, where logs exist, review AccountManager token requests from non-Microsoft packages.