Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Lifecycle Timeline
3DescriptionNVD
Improper neutralization of special elements in output used by a downstream component ('injection') in Microsoft Teams for Android allows an authorized attacker to disclose information over a network.
AnalysisAI
Information disclosure in Microsoft Teams for Android allows an authenticated remote attacker to extract sensitive data via an injection flaw (CWE-74) in output passed to a downstream component. The CVSS 8.1 rating reflects high confidentiality and availability impact over the network with low privileges and no user interaction, though no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Technical ContextAI
The root cause is CWE-74 (improper neutralization of special elements in output used by a downstream component), commonly known as an injection weakness. In the context of the Teams Android client, this means data flowing from the app into a downstream consumer (likely a parser, renderer, IPC channel, or backend service) is not properly sanitized, allowing crafted input to alter the semantics of that downstream channel. Microsoft Teams for Android is a mobile collaboration client that communicates with Microsoft 365 backend services over HTTPS and interacts with on-device components (WebView, Android intents, content providers), any of which could be the downstream sink being exploited.
RemediationAI
Patch available per vendor advisory - update Microsoft Teams for Android to the latest version distributed through the Google Play Store as referenced in the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42835; the exact fixed version is not enumerated in the provided intelligence and must be retrieved from that MSRC page. As a compensating control until updates roll out across the fleet, enforce mobile device management (MDM) policies to mandate auto-updates for the Teams app on managed Android devices, and consider conditional-access policies that block older Teams client versions from connecting to tenant resources - this trades off availability for users on outdated clients in exchange for blocking the vulnerable surface. Restricting Teams external federation and guest-access settings can also limit which low-privileged attackers can reach a victim tenant, though it does not remove the underlying flaw.
A library injection vulnerability exists in Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS. Rated criti
A library injection vulnerability exists in the WebView.app helper app of Microsoft Teams (work or school) 24046.2813.27
A library injection vulnerability exists in the com.microsoft.teams2.modulehost.app helper app of Microsoft Teams (work
Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to
The Microsoft Teams online service contains a stored cross-site scripting vulnerability in the displayName parameter tha
Microsoft Teams Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely expl
Microsoft Teams Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely expl
Microsoft Teams contains an access control vulnerability that enables unauthenticated remote attackers to extract sensit
Microsoft Teams Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentica
Untrusted search path vulnerability in The installer of Microsoft Teams allows an attacker to gain privileges via a Troj
Heap-based buffer overflow in Microsoft Teams allows an unauthorized attacker to execute code over a network. Rated high
Concurrent execution using shared resource with improper synchronization ('race condition') in Microsoft Teams allows an
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35535
GHSA-mqcp-h3mm-5h8v