Microsoft Power Apps Desktop Client has an issue where an authorized user can gain authorization privileges that allow the execution of arbitrary code across a network. The flaw is an improper authorization weakness that enables a malicious actor who already has authenticated access to the application to bypass normal privilege checks and run code with elevated rights, potentially compromising data confidentiality, system integrity, and availability. The weakness is specifically mapped to improper authorization and insufficient permission checks.

All Windows installations of Microsoft Power Apps Desktop Client are affected. Exact version numbers are not disclosed in the advisory, so any deployment of the desktop client should be examined for the presence of the vulnerability.

The CVSS score of 8.0 indicates high severity, but the EPSS score is below 1%, suggesting that the likelihood of exploitation by attackers at this time is very low. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector appears to be remote over a network, requiring an attacker to already be authenticated to the application. Exploitation would involve leveraging successful authorization bypass to spawn or execute code on the target system, potentially enabling a full compromise of the user’s environment.