Improper access control in Microsoft 365 Copilot for Android allows an authorized attacker to spoof identity locally, potentially masquerading as another user or process within the same device. The flaw arises because the application does not enforce proper authorization before setting the identity state, which can lead to confusion about the true source of data or actions inside the app. Classified as CWE‑284, this weakening of authorization can result in credential theft or other unauthorized actions performed under a false identity, but it does not provide remote code execution or direct network compromise.

All installations of Microsoft 365 Copilot for Android that are accessed by users with authorized Microsoft accounts are affected. The advisory does not list specific version ranges, so any unpatched version may be vulnerable. The vulnerability applies only to the local environment on the device and requires the attacker to have reasonable access to the device or user account.

The CVSS base score of 4.4 indicates moderate severity. No EPSS score is available, so the expected exploitation probability is unclear. The vulnerability is not featured in CISA’s KEV catalogue, implying no wide‑scale exploitation has been documented. An attacker would need an authenticated user with access to the device; the attack vector is therefore local and requires elevated privilege within the application.