In a recent development, a vulnerability identified in several Microsoft 365 Android applications has raised concerns regarding account security. This issue stemmed from a development flag inadvertently left enabled in production builds, which disabled crucial checks designed to restrict account-token sharing solely to trusted Microsoft applications.
Details of the Vulnerability
The flaw, dubbed FlagLeft by cybersecurity firm Enclave, affected prominent applications including Word, PowerPoint, Excel, Microsoft 365 Copilot, Microsoft Loop, and OneNote. Collectively, these applications boast billions of downloads, making the implications of this vulnerability particularly significant. Notably, Microsoft Teams, which was shipped with the same flag set to false, remained unaffected, suggesting an oversight rather than a deliberate design choice.
Under normal circumstances, Microsoft 365 apps share account access to streamline user experience—logging into Word eliminates the need to log in again for PowerPoint. This seamless integration is intended to verify the requesting application and deny access to any untrusted entities. However, the vulnerability arose when a single line of code, setIsDebugMode(true), was left in the shipping code, allowing unauthorized apps on the same device to request and obtain the signed-in user’s token without any password or permission prompts.
Impact and Response
The tokens in question were FOCI tokens, which Microsoft utilizes for single sign-on across its suite of applications. These tokens can be refreshed and reused over extended periods, making the resulting traffic appear routine in system logs. From the user’s perspective, there are no visible indicators of this breach.
Enclave successfully demonstrated a proof of concept that exploited this vulnerability, pulling tokens through an unverified third-party app and accessing user emails. Microsoft categorized these incidents as local spoofing flaws, indicating that a malicious app already present on the device could exploit the situation.
On May 12, Microsoft addressed the issue by issuing four Common Vulnerabilities and Exposures (CVEs), all classified under improper access control (CWE-284). The CVEs included:
- CVE-2026-41100 for Microsoft 365 Copilot (CVSS 4.4)
- CVE-2026-41101 for Word (CVSS 7.1)
- CVE-2026-41102 for PowerPoint (CVSS 7.1)
- CVE-2026-42832 for Excel (CVSS 7.7)
While Enclave also reported the same vulnerability in Loop and OneNote, these applications did not receive separate CVEs in the May update. The National Vulnerability Database (NVD) has listed the patched version of Word for Android as 16.0.19822.20190, with earlier versions being vulnerable. Other affected applications were similarly updated through Google Play.
Next Steps for Users
In light of this vulnerability, users are strongly advised to update their Microsoft 365 applications—Word, PowerPoint, Excel, Microsoft 365 Copilot, Loop, and OneNote—via Google Play. Security teams managing Android devices should prioritize these updates through Mobile Device Management (MDM) systems and ensure that devices are running versions later than 16.0.19822.20190.
While the patch effectively addresses the vulnerability, it does not retroactively invalidate tokens that may have already been compromised. Since FOCI refresh tokens persist beyond app updates, it is prudent for accounts on devices that previously operated with older builds alongside untrusted applications to revoke these tokens and enforce a fresh sign-in process.
