CVE-2026-40374: Microsoft Power Automate Desktop Information Disclosure Vulnerability

Overview

Severity

Medium (CVSS 6.5)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C

Category

Information Disclosure

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2026-May

Released

2026-05-12

Description

Exposure of sensitive information to an unauthorized actor in Power Automate allows an authorized attacker to disclose information over a network.

FAQ

What type of information could be disclosed by this vulnerability? This vulnerability could expose values stored in variables that were marked as “Sensitive” within Power Automate Desktop flows. Due to a logging issue, these sensitive variable values may appear in execution logs uploaded to the Power Automate portal and be viewable by users with Owner, Co-Owner, or Runner permissions for the affected desktop flow.

Affected Products (1)

Microsoft Dynamics

• Power Automate for Desktop

Security Updates (1)

• Release Notes

Acknowledgments

Ioannis Panagiotopoulos with Microsoft

Revision History

• 2026-05-12: Information published.