Description
Files or directories accessible to external parties in Microsoft Office Word allows an unauthorized attacker to disclose information locally.
Published: 2026-05-12
Score: 5.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows an unauthorized user to read files or directories that are accessible to external parties within Microsoft Office Word applications. The flaw exposes local data that should remain confidential, resulting in a breach of confidentiality consistent with CWE-552.

Affected Systems

Microsoft products affected by this issue include Microsoft 365 Apps for Enterprise, Microsoft Office 2019, Office LTSC 2021, Office LTSC 2024, and Microsoft Word 2016. Specific version information is not provided in the current data set.

Risk and Exploitability

The CVSS score of 5.5 indicates a medium severity risk. The EPSS score is not available and the vulnerability is not listed in CISA KEV, suggesting low to moderate exploitation likelihood. The description indicates that files or directories accessible to external parties in Word can be read by an unauthorized attacker locally. It is not explicitly stated whether remote exploitation is possible; based on the wording, it is inferred that an attacker would need local or shared‑network access to the vulnerable files. Therefore, the risk is primarily confined to environments where file permissions or external sharing settings are misconfigured.

Generated by OpenCVE AI on May 12, 2026 at 20:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Microsoft Office updates; check the Microsoft website for available patches or roll‑out notices.
  • Review file system and network share permissions to ensure that Office documents are not readable by unauthorized users.
  • Disable or restrict any external sharing features that expose documents or directories to external parties.
  • Consider enabling file and folder level encryption for sensitive content to add an extra layer of protection.

Generated by OpenCVE AI on May 12, 2026 at 20:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Files or directories accessible to external parties in Microsoft Office Word allows an unauthorized attacker to disclose information locally.
Title Microsoft Word Information Disclosure Vulnerability
First Time appeared Microsoft
Microsoft 365 Apps
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Microsoft word 2016
Weaknesses CWE-552
CPEs cpe:2.3:a:microsoft:365_apps:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:office_2019:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:office_2021:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_2024:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:word_2016:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft 365 Apps
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Microsoft word 2016
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft 365 Apps Office 2019 Office 2021 Office 2024 Word 2016
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-05-12T17:53:35.638Z

Reserved: 2026-04-02T19:21:11.805Z

Link: CVE-2026-35440

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T18:17:14.287

Modified: 2026-05-12T18:17:14.287

Link: CVE-2026-35440

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T20:15:24Z

Weaknesses