Description
Uncontrolled search path element in Microsoft Power Apps allows an unauthorized attacker to execute code over a network.
Published: 2026-04-23
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Now
AI Analysis

Impact

This vulnerability arises from an uncontrolled search path element that Microsoft Power Apps does not validate. It permits an unauthorized attacker who can reach the application over a network to execute arbitrary code on the host system. The weakness is classified as CWE‑427, indicating a failure to control the execution path. Exploitation would compromise the integrity and availability of the affected environment and could lead to full system compromise.

Affected Systems

Microsoft Power Apps. No specific version information is provided, so all current releases are potentially vulnerable until a patch is applied.

Risk and Exploitability

The CVSS base score of 8 signals high severity. The EPSS score of less than 1% indicates a low current exploitation likelihood, and the vulnerability is not listed in the CISA KEV catalog. The description suggests the likely attack vector is a network‑remote connection, requiring the attacker to connect to the Power Apps instance. No privileged escalation is stated, so an unauthenticated or low‑privilege attacker could potentially exploit the flaw if network access is granted.

Generated by OpenCVE AI on April 28, 2026 at 07:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Microsoft patch for CVE‑2026‑32172 as released by Microsoft Security Response Center.
  • Upgrade Microsoft Power Apps to the latest version that includes the fix.
  • Restrict network access to the Power Apps service to trusted IP ranges or a VPN to limit exposure to the vulnerability.

Generated by OpenCVE AI on April 28, 2026 at 07:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft power Apps
CPEs cpe:2.3:a:microsoft:power_apps:-:*:*:*:*:-:*:*
Vendors & Products Microsoft power Apps

Fri, 24 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 22:00:00 +0000

Type Values Removed Values Added
Description Uncontrolled search path element in Microsoft Power Apps allows an unauthorized attacker to execute code over a network.
Title Microsoft Power Apps Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft power-apps
Weaknesses CWE-427
CPEs cpe:2.3:a:microsoft:power-apps:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft power-apps
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Power-apps Power Apps
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-05-12T17:39:56.182Z

Reserved: 2026-03-10T23:09:43.266Z

Link: CVE-2026-32172

cve-icon Vulnrichment

Updated: 2026-04-24T14:55:06.909Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-23T22:16:33.720

Modified: 2026-04-29T19:11:12.690

Link: CVE-2026-32172

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T07:30:26Z

Weaknesses