Microsoft has patched a serious security flaw affecting several Microsoft 365 applications on Android after researchers discovered that a development setting was mistakenly left enabled in production releases.
The vulnerability, dubbed “FlagLeft” by security researchers at Enclave, could have allowed any app installed on the same Android device to access a user’s Microsoft authentication tokens. With those tokens, a malicious application could potentially read emails, access files, view calendars, and even send messages while impersonating the victim—without requiring passwords, login prompts, or user consent.
What Happened?
Microsoft 365 apps are designed to share authentication tokens to provide a seamless single sign-on (SSO) experience. For example, users who sign in to Word don’t need to sign in again when opening PowerPoint or Excel.
To prevent abuse, Microsoft normally verifies that token requests come only from trusted Microsoft applications. However, researchers Yanir Tsarimi and Ofek Levin of Enclave discovered that this security verification was accidentally disabled.
The issue stemmed from a single line of code:
setIsDebugMode(true)
Because the flaw existed within a shared Microsoft software development kit (SDK), the same vulnerability appeared across multiple Microsoft apps.
Affected Applications
The vulnerability impacted the following Android applications:
- Microsoft Word
- Microsoft PowerPoint
- Microsoft Excel
- Microsoft 365 Copilot
- Microsoft Loop
- Microsoft OneNote
Interestingly, Microsoft Teams included the same configuration setting but had it disabled, preventing exposure. Researchers believe this was likely an oversight rather than an intentional design choice.
Why the Vulnerability Was Dangerous
The exposed credentials were Family of Client IDs (FOCI) refresh tokens, which Microsoft uses to maintain single sign-on functionality across its ecosystem.
Unlike temporary access tokens, FOCI refresh tokens can remain valid for extended periods and continuously generate new access tokens. This makes them particularly valuable to attackers because:
- They enable long-term account access.
- Malicious activity can appear legitimate in system logs.
- Victims receive no visible indication that their account has been compromised.
To demonstrate the risk, Enclave created a proof-of-concept application that successfully extracted authentication tokens from a vulnerable Microsoft app and used them to access email data.
CVEs Assigned
On May 12, Microsoft released fixes and assigned four Common Vulnerabilities and Exposures (CVEs) identifiers:
| CVE | Application | CVSS Score |
|---|---|---|
| CVE-2026-41100 | Microsoft 365 Copilot | 4.4 |
| CVE-2026-41101 | Microsoft Word | 7.1 |
| CVE-2026-41102 | Microsoft PowerPoint | 7.1 |
| CVE-2026-42832 | Microsoft Excel | 7.7 |
All four vulnerabilities were classified as spoofing flaws caused by improper access control (CWE-284).
Although Microsoft Loop and OneNote were also reported as vulnerable, they did not receive separate CVE assignments in the initial disclosure.
Patched Versions
According to vulnerability records, Microsoft fixed the issue through updates distributed via Google Play.
For Microsoft Word, Android version 16.0.19822.20190 contains the fix, while earlier versions remain vulnerable. Similar updates were released for the other affected applications.
Was the Flaw Exploited?
At the time of disclosure, Microsoft stated that there was no evidence indicating the vulnerability had been publicly exploited. Additionally, the flaw was not listed among the actively exploited vulnerabilities addressed during Microsoft’s May Patch Tuesday release.
What Users Should Do
Android users should immediately update the following applications through Google Play:
- Word
- PowerPoint
- Excel
- Microsoft 365 Copilot
- Loop
- OneNote
Organizations managing Android devices should deploy the updates through their Mobile Device Management (MDM) platforms and verify that no devices remain on vulnerable builds.
Additional Security Recommendation
While the update closes the vulnerability, it does not automatically invalidate authentication tokens that may have already been stolen.
Because FOCI refresh tokens can remain valid after an application update, security teams should consider:
- Revoking existing refresh tokens.
- Forcing users to sign in again.
- Reviewing account activity for unusual access patterns.
- Auditing devices that previously ran vulnerable versions alongside untrusted applications.
Taking these additional steps can help eliminate any lingering risk from credentials that may have been exposed before the patch was installed.
Bottom Line: A simple debugging flag left enabled in production created a significant security gap across several widely used Microsoft 365 Android apps. Although Microsoft has released fixes and there is currently no evidence of active exploitation, users and organizations should update affected apps immediately and consider revoking existing authentication tokens as an added precaution.
