Skip to main content

Microsoft Teams CVE-2026-42835

| EUVDEUVD-2026-35535 HIGH
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2026-06-09 secure@microsoft.com GHSA-mqcp-h3mm-5h8v
8.1
CVSS 3.1 · NVD
Temporal: 7.1
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
ENISA EUVD
HIGH
qualitative
CIRCL (temporal)
7.1 HIGH
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

3
Patch available
Jun 09, 2026 - 19:03 EUVD
Analysis Generated
Jun 09, 2026 - 17:38 vuln.today
CVE Published
Jun 09, 2026 - 17:17 nvd
HIGH 8.1

DescriptionNVD

Improper neutralization of special elements in output used by a downstream component ('injection') in Microsoft Teams for Android allows an authorized attacker to disclose information over a network.

AnalysisAI

Information disclosure in Microsoft Teams for Android allows an authenticated remote attacker to extract sensitive data via an injection flaw (CWE-74) in output passed to a downstream component. The CVSS 8.1 rating reflects high confidentiality and availability impact over the network with low privileges and no user interaction, though no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Technical ContextAI

The root cause is CWE-74 (improper neutralization of special elements in output used by a downstream component), commonly known as an injection weakness. In the context of the Teams Android client, this means data flowing from the app into a downstream consumer (likely a parser, renderer, IPC channel, or backend service) is not properly sanitized, allowing crafted input to alter the semantics of that downstream channel. Microsoft Teams for Android is a mobile collaboration client that communicates with Microsoft 365 backend services over HTTPS and interacts with on-device components (WebView, Android intents, content providers), any of which could be the downstream sink being exploited.

RemediationAI

Patch available per vendor advisory - update Microsoft Teams for Android to the latest version distributed through the Google Play Store as referenced in the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42835; the exact fixed version is not enumerated in the provided intelligence and must be retrieved from that MSRC page. As a compensating control until updates roll out across the fleet, enforce mobile device management (MDM) policies to mandate auto-updates for the Teams app on managed Android devices, and consider conditional-access policies that block older Teams client versions from connecting to tenant resources - this trades off availability for users on outdated clients in exchange for blocking the vulnerable surface. Restricting Teams external federation and guest-access settings can also limit which low-privileged attackers can reach a victim tenant, though it does not remove the underlying flaw.

More in Teams

View all
CVE-2024-42004 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS. Rated criti

CVE-2024-41145 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in the WebView.app helper app of Microsoft Teams (work or school) 24046.2813.27

CVE-2024-41138 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in the com.microsoft.teams2.modulehost.app helper app of Microsoft Teams (work

CVE-2023-4863 HIGH POC
8.8 Sep 12

Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to

CVE-2020-10146 MEDIUM POC
5.4 Dec 09

The Microsoft Teams online service contains a stored cross-site scripting vulnerability in the displayName parameter tha

CVE-2023-29330 HIGH
8.8 Aug 08

Microsoft Teams Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely expl

CVE-2023-29328 HIGH
8.8 Aug 08

Microsoft Teams Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely expl

CVE-2026-21535 HIGH
8.2 Feb 19

Microsoft Teams contains an access control vulnerability that enables unauthenticated remote attackers to extract sensit

CVE-2020-17091 HIGH
7.8 Nov 11

Microsoft Teams Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentica

CVE-2019-5922 HIGH
7.8 Mar 12

Untrusted search path vulnerability in The installer of Microsoft Teams allows an attacker to gain privileges via a Troj

CVE-2025-53783 HIGH
7.5 Aug 12

Heap-based buffer overflow in Microsoft Teams allows an unauthorized attacker to execute code over a network. Rated high

CVE-2025-49737 HIGH
7.0 Jul 08

Concurrent execution using shared resource with improper synchronization ('race condition') in Microsoft Teams allows an

Share

CVE-2026-42835 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy