Description
Improper access control in Microsoft Office Click-To-Run allows an authorized attacker to elevate privileges locally.
Published: 2026-05-12
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper access control within the Microsoft Office Click‑To‑Run component permits an authorized user to gain elevated privileges on a local Windows system. By bypassing standard permission checks, an attacker can execute additional actions that require higher rights, potentially compromising the integrity of the system. This weakness is a classic access‑control flaw classified as CWE‑284.

Affected Systems

The vulnerability affects Microsoft 365 Apps for Enterprise, Office 2019, Office LTSC 2021, and Office LTSC 2024. Version specifics are not disclosed, so all current releases are potentially impacted until a patch is applied.

Risk and Exploitability

The CVSS base score of 8.8 indicates a high severity scenario. Although an EPSS value is unavailable, the lack of a KEV listing does not mitigate the risk; the flaw remains exploitable by users who already possess some level of local access. The most likely attack vector is local, requiring the attacker to be authenticated or have physical access to the machine, making the vulnerability pertinent to insider threats or compromised user accounts.

Generated by OpenCVE AI on May 12, 2026 at 19:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Microsoft security update that addresses CVE-2026-40420 as soon as it is released.
  • If the update is not yet available, enforce strict user privilege management and, where possible, disable the Click‑To‑Run feature to prevent the flaw from being exercised.
  • Implement continuous monitoring and audit logging for privilege escalation attempts, and regularly review access controls to ensure they align with the principle of least privilege.

Generated by OpenCVE AI on May 12, 2026 at 19:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Improper access control in Microsoft Office Click-To-Run allows an authorized attacker to elevate privileges locally.
Title Microsoft Office Click-To-Run Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft 365 Apps
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
Weaknesses CWE-284
CPEs cpe:2.3:a:microsoft:365_apps:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:microsoft:office_2019:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:office_2021:*:*:*:*:long_term_servicing_channel:*:*:*
cpe:2.3:a:microsoft:office_2024:*:*:*:*:long_term_servicing_channel:*:*:*
Vendors & Products Microsoft
Microsoft 365 Apps
Microsoft office 2019
Microsoft office 2021
Microsoft office 2024
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft 365 Apps Office 2019 Office 2021 Office 2024
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-05-13T03:56:54.169Z

Reserved: 2026-04-13T00:27:50.799Z

Link: CVE-2026-40420

cve-icon Vulnrichment

Updated: 2026-05-12T18:59:13.407Z

cve-icon NVD

Status : Received

Published: 2026-05-12T18:17:20.190

Modified: 2026-05-12T18:17:20.190

Link: CVE-2026-40420

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T01:45:15Z

Weaknesses