CVE-2026-20960: PowerApps Desktop Client Remote Code Execution Vulnerability

Overview

Severity

High (CVSS 8)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Remote Code Execution

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2026-Jan

Released

2026-01-16

Last Updated

2026-01-29

EPSS Score

0.05% (percentile: 14.2%)

Description

Improper authorization in Microsoft Power Apps allows an authorized attacker to execute code over a network.

FAQ

According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability? Any authenticated attacker could trigger this vulnerability. It does not require admin or other elevated privileges. According to the CVSS metric, the attack vector is network (AV:N) and user interaction is required (UI:R). What is the target context of the remote code execution? This attack requires a user to open a specially crafted shared app from the attacker to initiate remote code execution.

Affected Products (1)

Azure

• Microsoft Power Apps Desktop Client

Security Updates (1)

• Release Notes

Acknowledgments

<a href="https://www.linkedin.com/in/alasdair-gorniak/">Alasdair Gorniak</a> and Tobias Diehl, <a href="https://www.linkedin.com/in/alasdair-gorniak/">Alasdair Gorniak</a> and Tobias Diehl

Revision History

• 2026-01-16: Information published.
• 2026-01-29: Corrected Download links in the Security Updates table. This is an informational change only.