Description
Improper access control in Microsoft Office Excel allows an unauthorized attacker to bypass a security feature locally.
Published: 2026-01-13
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Local security feature bypass in Microsoft Excel
Action: Patch ASAP
AI Analysis

Impact

Improper access control in Microsoft Office Excel enables an unauthorized attacker to bypass a built‑in security feature when the application is run locally. This bypass can allow local users or malware that has local execution privileges to elevate privileges or execute malicious code that would normally be blocked by the security feature. The impact is a loss of integrity and confidentiality of data processed by or stored in affected Excel workbooks.

Affected Systems

The vulnerability affects Microsoft 365 Apps for Enterprise, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024, Microsoft Office LTSC for Mac 2021, and Microsoft Office LTSC for Mac 2024. Both 32‑bit and 64‑bit Windows installations and macOS versions are affected; no specific version numbers are listed, indicating that all releases within the mentioned product lines are impacted.

Risk and Exploitability

With a CVSS score of 7.8 the vulnerability is high, and the EPSS score of less than 1% indicates a very low but nonzero probability of exploitation. It is not currently listed in the CISA KEV catalog. The likely attack vector is local, requiring access to a machine with an affected version of Excel; the attacker can supply a crafted workbook or command to bypass the security guard. Because the feature is bypassed locally, the risk is focused on end‑user workstations rather than remote denial of service.

Generated by OpenCVE AI on April 16, 2026 at 08:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Microsoft Office security update from the official update guide linked in the advisory.
  • If a patch cannot be applied immediately, disable or modify the vulnerable security feature, for example by adjusting macro settings or running Excel in Safe Mode.
  • Run all Excel workbooks through a reputable antivirus or endpoint protection before opening them.

Generated by OpenCVE AI on April 16, 2026 at 08:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 16 Jan 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft office Long Term Servicing Channel
CPEs cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x64:*
cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x64:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:macos:*:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x64:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:macos:*:*
Vendors & Products Microsoft office Long Term Servicing Channel

Tue, 13 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 13 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Description Improper access control in Microsoft Office Excel allows an unauthorized attacker to bypass a security feature locally.
Title Microsoft Excel Security Feature Bypass Vulnerability
First Time appeared Microsoft
Microsoft 365 Apps
Microsoft office 2021
Microsoft office 2024
Microsoft office Macos 2021
Microsoft office Macos 2024
Weaknesses CWE-284
CPEs cpe:2.3:a:microsoft:365_apps:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:office_2021:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_2024:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_macos_2021:*:*:*:*:*:long_term_servicing_channel:*:*
cpe:2.3:a:microsoft:office_macos_2024:*:*:*:*:*:long_term_servicing_channel:*:*
Vendors & Products Microsoft
Microsoft 365 Apps
Microsoft office 2021
Microsoft office 2024
Microsoft office Macos 2021
Microsoft office Macos 2024
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft 365 Apps Office 2021 Office 2024 Office Long Term Servicing Channel Office Macos 2021 Office Macos 2024
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-01T13:49:17.581Z

Reserved: 2025-12-04T20:04:16.339Z

Link: CVE-2026-20949

cve-icon Vulnrichment

Updated: 2026-01-13T18:39:46.466Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-13T18:16:22.487

Modified: 2026-01-16T16:20:58.787

Link: CVE-2026-20949

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T08:15:29Z

Weaknesses