Description
Improper neutralization of escape, meta, or control sequences in Microsoft Power Apps allows an authorized attacker to perform spoofing over a network.
Published: 2026-04-14
Score: 9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Spoofing
Action: Immediate Patch
AI Analysis

Impact

Improper neutralization of escape, meta, or control sequences in Microsoft Power Apps allows an authorized attacker to perform spoofing over a network. This flaw, classified as CWE‑150, can let an attacker impersonate legitimate users or misrepresent actions, undermining trust.

Affected Systems

Microsoft Power Apps is the affected product. No specific application version is listed, so all deployments of Microsoft Power Apps could be at risk.

Risk and Exploitability

The vulnerability carries a CVSS score of 9, indicating high severity, and an EPSS score of < 1%, reflecting a very low but non‑zero likelihood that it will be exploited in the wild. It is not listed in the CISA KEV catalog. The attack vector is inferred to be over a network, requiring the attacker to be an authenticated user who can submit crafted input to neutralize security controls.

Generated by OpenCVE AI on April 21, 2026 at 00:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the Microsoft security portal for the latest patch or mitigation guidance.
  • Apply any released update for Power Apps as soon as it becomes available.
  • Restrict or monitor the privileges of users who have access to the affected Power Apps features until a patch is applied.
  • Consider implementing additional input validation to neutralize escape and control sequences as a temporary safeguard.

Generated by OpenCVE AI on April 21, 2026 at 00:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Title Microsoft Power Apps Spoofing Vulnerability Microsoft Power Apps Desktop Client Spoofing Vulnerability
First Time appeared Microsoft power Apps Desktop Client
CPEs cpe:2.3:a:microsoft:power-apps:*:*:*:*:*:*:*:* cpe:2.3:a:microsoft:power_apps_desktop_client:*:*:*:*:*:*:*:*
Vendors & Products Microsoft power Apps Desktop Client

Mon, 20 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
Description Improper neutralization of escape, meta, or control sequences in Microsoft Power Apps allows an authorized attacker to bypass a security feature over a network. Improper neutralization of escape, meta, or control sequences in Microsoft Power Apps allows an authorized attacker to perform spoofing over a network.
Title Microsoft Power Apps Security Feature Bypass Microsoft Power Apps Spoofing Vulnerability

Tue, 14 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
Description Improper neutralization of escape, meta, or control sequences in Microsoft Power Apps allows an authorized attacker to bypass a security feature over a network.
Title Microsoft Power Apps Security Feature Bypass
First Time appeared Microsoft
Microsoft power-apps
Weaknesses CWE-150
CPEs cpe:2.3:a:microsoft:power-apps:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft power-apps
References
Metrics cvssV3_1

{'score': 9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H/E:U/RL:T/RC:C'}

Subscriptions

Microsoft Power-apps Power Apps Desktop Client
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-30T14:40:53.854Z

Reserved: 2026-02-11T16:24:51.135Z

Link: CVE-2026-26149

cve-icon Vulnrichment

Updated: 2026-04-14T17:58:31.045Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-14T18:16:45.790

Modified: 2026-04-20T21:16:08.007

Link: CVE-2026-26149

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T00:15:16Z

Weaknesses