Skip to main content

Microsoft EUVDEUVD-2026-22371

| CVE-2026-26149 CRITICAL
Improper Neutralization of Escape, Meta, or Control Sequences (CWE-150)
2026-04-14 microsoft GHSA-grqv-qmhw-8pwc
9.0
CVSS 3.1 · NVD
Temporal: 7.9
Share

Severity by source

NVD PRIMARY
9.0 CRITICAL
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
CIRCL (temporal)
7.9 HIGH
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Updated
Apr 17, 2026 - 15:32 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 17, 2026 - 15:22 vuln.today
cvss_changed
Analysis Generated
Apr 14, 2026 - 19:12 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 17:46 euvd
EUVD-2026-22371
Analysis Generated
Apr 14, 2026 - 17:46 vuln.today
Patch released
Apr 14, 2026 - 17:46 nvd
Patch available
CVE Published
Apr 14, 2026 - 16:56 nvd
CRITICAL 9.0

DescriptionCVE.org

Improper neutralization of escape, meta, or control sequences in Microsoft Power Apps allows an authorized attacker to bypass a security feature over a network.

AnalysisAI

Escape sequence injection in Microsoft Power Apps versions prior to 3.26032.10.0 allows authenticated attackers with low privileges to bypass security controls and achieve remote code execution with high confidentiality, integrity, and availability impact across security boundaries. The vulnerability requires user interaction and affects Power Apps 1710 (build 9.2.23071.136 and earlier). EPSS score of 0.08% (23rd percentile) suggests low probability of mass exploitation despite critical CVSS 9.0 rating. Vendor patch available via Microsoft Security Response Center advisory.

Technical ContextAI

This vulnerability stems from improper neutralization of escape, meta, or control sequences (CWE-150) in Microsoft Power Apps, a low-code development platform for building business applications. The affected product (CPE: cpe:2.3:a:microsoft:microsoft_power_apps) fails to properly sanitize or validate special character sequences that can alter the interpretation of data or commands. Escape sequence injection vulnerabilities allow attackers to embed control characters that can break out of intended data contexts, potentially manipulating application logic, bypassing security checks, or executing unauthorized operations. In Power Apps context, this likely involves injection through user-controllable fields that are processed without adequate encoding, enabling attackers to manipulate the application's execution flow or data handling mechanisms. The changed scope (S:C) in the CVSS vector indicates the vulnerability can affect resources beyond the vulnerable component's security scope.

RemediationAI

Apply vendor-released patch by upgrading Microsoft Power Apps to version 3.26032.10.0 or later as detailed in Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26149. Organizations should prioritize Power Apps instances handling sensitive data or exposed to broader user populations. For environments where immediate patching is not feasible, implement compensating controls including restricting Power Apps access to trusted user populations only, implementing enhanced monitoring for anomalous authentication patterns or unexpected data access following user interactions, enforcing least-privilege principles for Power Apps user roles to limit PR:L access grants, and conducting user awareness training about social engineering attacks that could provide the required user interaction component. Note that access restrictions may limit business functionality and monitoring overhead requires security operations capacity. Review and sanitize existing Power Apps that accept user input to identify potential injection points. Validate that authentication mechanisms prevent unauthorized access as the vulnerability requires authenticated (PR:L) access as a prerequisite.

Share

EUVD-2026-22371 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy