Description
Improper access control in Microsoft Office allows an unauthorized attacker to perform spoofing locally.
Published: 2026-05-12
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper access control in Microsoft Office allows an unauthorized attacker to perform spoofing locally. The flaw enables a malicious user with local access to craft or modify content that the Office suite will treat as trusted, effectively deceiving the user.

Affected Systems

Affected products include Microsoft Excel for Android, Microsoft Word for Android, and the Office LTSC editions for macOS released in 2021 and 2024. No specific versions are listed, so all current installed copies of these applications are potentially vulnerable.

Risk and Exploitability

The CVSS score of 7.7 categorizes the vulnerability as high severity, indicating significant risk if exploited. The EPSS score of 0.00042 (<1%) suggests a very low likelihood of exploitation, and it is not listed in CISA’s KEV catalog, implying there have been no widely known attacks. The likely attack vector is local; an attacker would need local or physical access to a device running the affected Office version to create or modify files that trigger the spoofing behavior. If successful, the attacker could manipulate the appearance or authenticity of documents, deceiving users.

Generated by OpenCVE AI on May 16, 2026 at 03:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Microsoft Office to the latest patched release available for all affected platforms.
  • Ensure that mobile Office apps (Excel and Word for Android) are updated to the newest version through the app store.
  • Configure device and application security settings to enforce strict file validation and restrict execution of unauthorized scripts or macros.

Generated by OpenCVE AI on May 16, 2026 at 03:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft office Long Term Servicing Channel
CPEs cpe:2.3:a:microsoft:office:2021:*:*:*:ltsc:macos:*:* cpe:2.3:a:microsoft:office_long_term_servicing_channel:2021:*:*:*:*:macos:*:*
Vendors & Products Microsoft office Long Term Servicing Channel

Sat, 16 May 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft office
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:microsoft:office:2021:*:*:*:ltsc:macos:*:*
cpe:2.3:a:microsoft:office:2024:*:*:*:ltsc:macos:*:*
Vendors & Products Microsoft office

Wed, 13 May 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft excel For Android
Microsoft word For Android
Vendors & Products Microsoft excel For Android
Microsoft word For Android

Tue, 12 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Improper access control in Microsoft Office allows an unauthorized attacker to perform spoofing locally.
Title Microsoft Office Spoofing Vulnerability
First Time appeared Microsoft
Microsoft excel
Microsoft office Macos 2021
Microsoft office Macos 2024
Microsoft word
Weaknesses CWE-284
CPEs cpe:2.3:a:microsoft:excel:*:*:*:*:*:android:*:*
cpe:2.3:a:microsoft:office_macos_2021:*:*:*:*:*:long_term_servicing_channel:*:*
cpe:2.3:a:microsoft:office_macos_2024:*:*:*:*:*:long_term_servicing_channel:*:*
cpe:2.3:a:microsoft:word:*:*:*:*:*:android:*:*
Vendors & Products Microsoft
Microsoft excel
Microsoft office Macos 2021
Microsoft office Macos 2024
Microsoft word
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Excel Excel For Android Office Office Long Term Servicing Channel Office Macos 2021 Office Macos 2024 Word Word For Android
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-09T18:09:13.456Z

Reserved: 2026-04-30T14:51:12.703Z

Link: CVE-2026-42832

cve-icon Vulnrichment

Updated: 2026-05-12T18:54:27.765Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T18:17:25.800

Modified: 2026-05-19T18:38:59.530

Link: CVE-2026-42832

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-16T04:00:11Z

Weaknesses