Description
Improper access control in Office for Android allows an unauthorized attacker to perform spoofing locally.
Published: 2026-06-09
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper access control flaw in Office for Android that allows an unauthorized attacker to execute local spoofing. This permits the attacker to impersonate legitimate content or users within the Office applications, potentially misleading users about the authenticity of documents or messages. The flaw could be leveraged to manipulate user interactions, leading to confusion, mistaken trust, or the transmission of incorrect information.

Affected Systems

Microsoft Excel for Android, Microsoft PowerPoint for Android, and Microsoft Word for Android on Android devices are affected. No specific version numbers are listed, indicating that any installed build of these applications could be vulnerable until a patch is applied.

Risk and Exploitability

The CVSS score of 7.1 classifies this as a High severity issue, and the EPSS score is not available, meaning there is no publicly quantified exploitation probability yet. The vulnerability is not listed in CISA KEV catalog. Based on the description, the attack likely requires local device access; an attacker who can inject malicious input or trigger the application locally can exploit the access control defect to spoof user identities or content.

Generated by OpenCVE AI on June 9, 2026 at 19:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Office for Android update from Microsoft or Google Play to remove the access control weakness.
  • If an update cannot be applied immediately, uninstall or disable the Office for Android application to prevent local spoofing activities.
  • Configure the device to block installation of apps from unknown sources or apply managed device policies that restrict local application privileges until the vulnerability is patched.

Generated by OpenCVE AI on June 9, 2026 at 19:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft excel For Android
Microsoft powerpoint For Android
Microsoft word For Android
Vendors & Products Microsoft excel For Android
Microsoft powerpoint For Android
Microsoft word For Android

Tue, 09 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description Improper access control in Office for Android allows an unauthorized attacker to perform spoofing locally.
Title Office for Android Spoofing Vulnerability
First Time appeared Microsoft
Microsoft excel
Microsoft powerpoint
Microsoft word
Weaknesses CWE-284
CPEs cpe:2.3:a:microsoft:excel:*:*:*:*:*:android:*:*
cpe:2.3:a:microsoft:powerpoint:*:*:*:*:*:android:*:*
cpe:2.3:a:microsoft:word:*:*:*:*:*:android:*:*
Vendors & Products Microsoft
Microsoft excel
Microsoft powerpoint
Microsoft word
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Excel Excel For Android Powerpoint Powerpoint For Android Word Word For Android
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-09T21:50:10.258Z

Reserved: 2026-05-12T20:33:35.157Z

Link: CVE-2026-45649

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T17:17:32.040

Modified: 2026-06-09T19:32:51.440

Link: CVE-2026-45649

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T22:15:14Z

Weaknesses