A single debug flag left enabled in six Microsoft 365 Android apps allowed untrusted Android apps to receive Microsoft access tokens that should have been blocked. Microsoft fixed the flaw, assigning CVE-2026-41100, CVE-2026-41101, and CVE-2026-41102, after Enclave confirmed the issue across Word, PowerPoint, Excel, Microsoft 365 Copilot, Microsoft Loop, and OneNote for Android. #Microsoft365 #Enclave #CVE-2026-41100 #CVE-2026-41101 #CVE-2026-41102
Keypoints
- Six Microsoft 365 Android apps shared the same debug-mode flaw.
- The bug let non-Microsoft apps receive Microsoft access tokens.
- An attacker could abuse the issue with only a small amount of code.
- Stolen FOCI tokens could expose email, files, documents, and calendar data.
- Microsoft confirmed and fixed the vulnerabilities through patches and a Play Store update.