CVE-2026-41100: Microsoft 365 Copilot for Android Spoofing Vulnerability

Overview

Severity: Medium (CVSS 4.4)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C
Category: Spoofing
Exploit Status: Not Exploited
Exploitation Likelihood: Unlikely
Patch Tuesday: 2026-May
Released: 2026-05-12
Last Updated: 2026-06-09
EPSS Score: 0.25% (percentile: 16.0%)

Description

Improper access control in M365 Copilot allows an authorized attacker to perform spoofing locally.

FAQ

According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L), and integrity (I:L) but lead to no loss of availability (A:N). What is the impact of this vulnerability? An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality), make changes to disclosed information (Integrity), but cannot limit access to the resource (Availability).

Affected Products (6)

Apps

Microsoft 365 Copilot for Android
Microsoft Word for Android

Microsoft Office

Microsoft Excel for Android
Microsoft PowerPoint for Android
Microsoft Loop for Android
Microsoft OneNote for Android

Security Updates (6)

Acknowledgments

<a href="https://twitter.com/yanir_">Yanir Tsarimi</a>

Revision History

2026-05-12: Information published.
2026-06-09: Added Microsoft Excel for Android, Microsoft Word for Android, Microsoft Loop for Android, Microsoft PowerPoint for Android and Microsoft OneNote for Android softwares to the Security Updates table. Customers that are running supported version of these products are encouraged to update to the indicated versions to be protected from this vulnerability.