Description
Exposure of sensitive information to an unauthorized actor in Power Automate allows an authorized attacker to disclose information over a network.
Published: 2026-05-12
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in Microsoft Power Automate for Desktop allows an attacker with authorized access to disclose sensitive information over a network. This leads to unintended exposure of confidential data, potentially compromising confidentiality and causing data leakage. The flaw is classified as CWE‑200, indicating an information disclosure weakness.

Affected Systems

Microsoft Power Automate for Desktop is affected. No specific version range is listed in the data, so all installations of the product may be vulnerable until a patch is applied.

Risk and Exploitability

The CVSS score of 6.5 denotes moderate severity, meaning the impact is significant but not critical. Because EPSS data is not available, a precise exploitation probability cannot be quantified; however, listed in KEV it is not recognized as a known exploited vulnerability, suggesting limited public exploitation. The likely attack vector is inferred to be network‑based, where an authenticated user can trigger the disclosure of sensitive data while connected to network resources.

Generated by OpenCVE AI on May 12, 2026 at 20:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Download and install the latest update for Power Automate Desktop from the Microsoft Security Response Center link (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40374) to address the disclosure directly.
  • Restrict access to Power Automate Desktop by using role‑based access control so that only users with legitimate business need can run flows that might expose sensitive data, and ensure flows do not request or store unnecessary information.
  • Apply network segmentation or firewall rules to limit the exposure of Power Automate Desktop traffic to trusted internal networks only, reducing the likelihood that an attacker can capture disclosed data over the network.

Generated by OpenCVE AI on May 12, 2026 at 20:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Exposure of sensitive information to an unauthorized actor in Power Automate allows an authorized attacker to disclose information over a network.
Title Microsoft Power Automate Desktop Information Disclosure Vulnerability
First Time appeared Microsoft
Microsoft power Automate For Desktop
Weaknesses CWE-200
CPEs cpe:2.3:a:microsoft:power_automate_for_desktop:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft power Automate For Desktop
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Power Automate For Desktop
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-09T18:08:22.789Z

Reserved: 2026-04-11T23:06:15.615Z

Link: CVE-2026-40374

cve-icon Vulnrichment

Updated: 2026-05-12T19:33:30.905Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T18:17:16.347

Modified: 2026-05-19T18:04:59.820

Link: CVE-2026-40374

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T20:30:23Z

Weaknesses