Description
Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally.
Published: 2026-01-26
Score: 7.8 High
EPSS: 10.9% Moderate
KEV: Yes
Impact: Local Security Bypass
Action: Immediate Patch
AI Analysis

Impact

This vulnerability stems from Microsoft Office's reliance on untrusted inputs in a security decision, enabling an unauthorized attacker to bypass a security feature locally. The bypass removes a key protection check that normally enforces policies on document handling or macro execution, potentially allowing the execution of malicious code or the loading of untrusted content. The weakness is categorized as CWE‑807, implicating improper validation of internal data inputs.

Affected Systems

Microsoft 365 Apps for Enterprise, Microsoft Office 2016, Microsoft Office 2019, Microsoft Office LTSC 2021, and Microsoft Office LTSC 2024 are affected. The vulnerability applies to all installed versions of these products where the related feature is enabled. No specific sub‑release details are provided.

Risk and Exploitability

The CVSS base score of 7.8 classifies this as High risk, and an EPSS of 11% indicates a relatively high probability of exploitation. The vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog, underscoring real‑world prioritization. Likely attack vectors involve local execution of a crafted Office document or file from an untrusted source, after which the attacker can bypass the security feature and execute code. The exploit does not require network privileges and can be performed by users with local access, making it a significant concern in environments with unrestricted Office usage.

Generated by OpenCVE AI on April 21, 2026 at 23:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Microsoft security update for CVE-2026-21509 to all affected Office installations.
  • If the update is unavailable or delayed, run the Vicarius mitigation script to disable the bypassed security feature and enforce strict macro policy constraints.
  • Configure Office and related Group Policy settings to restrict macro execution and disable legacy file format support as advised in the CISA KEV advisory.

Generated by OpenCVE AI on April 21, 2026 at 23:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Feb 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 27 Jan 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft office
Microsoft office Long Term Servicing Channel
CPEs cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x64:*
cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:x86:*
cpe:2.3:a:microsoft:office:2016:*:*:*:*:*:x64:*
cpe:2.3:a:microsoft:office:2016:*:*:*:*:*:x86:*
cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x64:*
cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x64:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:-:x86:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x64:*
cpe:2.3:a:microsoft:office_long_term_servicing_channel:2024:*:*:*:*:-:x86:*
Vendors & Products Microsoft office
Microsoft office Long Term Servicing Channel

Mon, 26 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 21:30:00 +0000

Type Values Removed Values Added
References

Mon, 26 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics kev

{'dateAdded': '2026-01-26T00:00:00+00:00', 'dueDate': '2026-02-16T00:00:00+00:00'}

Mon, 26 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C'}

Mon, 26 Jan 2026 17:30:00 +0000

Type Values Removed Values Added
Description Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally.
Title Microsoft Office Security Feature Bypass Vulnerability
First Time appeared Microsoft
Microsoft 365 Apps
Microsoft office 2016
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Weaknesses CWE-807
CPEs cpe:2.3:a:microsoft:365_apps:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:office_2016:*:*:*:*:*:*:x86:*
cpe:2.3:a:microsoft:office_2019:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:office_2021:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_2024:*:*:*:*:long_term_servicing_channel:*:*:*
Vendors & Products Microsoft
Microsoft 365 Apps
Microsoft office 2016
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft 365 Apps Office Office 2016 Office 2019 Office 2021 Office 2024 Office Long Term Servicing Channel
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-01T13:49:28.047Z

Reserved: 2025-12-30T18:10:54.844Z

Link: CVE-2026-21509

cve-icon Vulnrichment

Updated: 2026-02-10T14:57:48.648Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-26T18:16:38.540

Modified: 2026-02-11T15:40:33.473

Link: CVE-2026-21509

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T00:00:03Z

Weaknesses