Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
7DescriptionCVE.org
Improper neutralization of escape, meta, or control sequences in Microsoft Power Apps allows an authorized attacker to bypass a security feature over a network.
AnalysisAI
Escape sequence injection in Microsoft Power Apps versions prior to 3.26032.10.0 allows authenticated attackers with low privileges to bypass security controls and achieve remote code execution with high confidentiality, integrity, and availability impact across security boundaries. The vulnerability requires user interaction and affects Power Apps 1710 (build 9.2.23071.136 and earlier). EPSS score of 0.08% (23rd percentile) suggests low probability of mass exploitation despite critical CVSS 9.0 rating. Vendor patch available via Microsoft Security Response Center advisory.
Technical ContextAI
This vulnerability stems from improper neutralization of escape, meta, or control sequences (CWE-150) in Microsoft Power Apps, a low-code development platform for building business applications. The affected product (CPE: cpe:2.3:a:microsoft:microsoft_power_apps) fails to properly sanitize or validate special character sequences that can alter the interpretation of data or commands. Escape sequence injection vulnerabilities allow attackers to embed control characters that can break out of intended data contexts, potentially manipulating application logic, bypassing security checks, or executing unauthorized operations. In Power Apps context, this likely involves injection through user-controllable fields that are processed without adequate encoding, enabling attackers to manipulate the application's execution flow or data handling mechanisms. The changed scope (S:C) in the CVSS vector indicates the vulnerability can affect resources beyond the vulnerable component's security scope.
RemediationAI
Apply vendor-released patch by upgrading Microsoft Power Apps to version 3.26032.10.0 or later as detailed in Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26149. Organizations should prioritize Power Apps instances handling sensitive data or exposed to broader user populations. For environments where immediate patching is not feasible, implement compensating controls including restricting Power Apps access to trusted user populations only, implementing enhanced monitoring for anomalous authentication patterns or unexpected data access following user interactions, enforcing least-privilege principles for Power Apps user roles to limit PR:L access grants, and conducting user awareness training about social engineering attacks that could provide the required user interaction component. Note that access restrictions may limit business functionality and monitoring overhead requires security operations capacity. Review and sanitize existing Power Apps that accept user input to identify potential injection points. Validate that authentication mechanisms prevent unauthorized access as the vulnerability requires authenticated (PR:L) access as a prerequisite.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22371
GHSA-grqv-qmhw-8pwc