- What: A debug flag (
setIsDebugMode(true)) left in production builds of 6 Microsoft 365 Android apps (Word, Excel, PowerPoint, Copilot, Loop, OneNote) disabled auth checks, letting any app on the device silently steal FOCI refresh tokens -- no user interaction or permissions required. - Impact: Stolen FOCI tokens grant persistent read/write access to email, files, and calendars; they survive app updates and appear as legitimate traffic in logs, making detection difficult. Four CVEs issued:
CVE-2026-41100throughCVE-2026-42832(CVSS up to 7.7). - Fix / mitigation: Update all six apps to Word build
16.0.19822.20190or later via Google Play -- push via MDM for managed fleets. Patching alone does NOT revoke already-stolen tokens; revoke refresh tokens and force re-sign-in for any device that ran vulnerable builds alongside untrusted apps. - Who's at risk: Any Android user or enterprise device running Microsoft 365 apps before the May 12, 2026 patch, especially devices with sideloaded apps, third-party stores enabled, or outside strict MDM control.
Single Line of Code Bypassed All Authentication
A development flag left active in production builds of Microsoft Word, PowerPoint, Excel, Microsoft 365 Copilot, Microsoft Loop, and OneNote for Android completely disabled the authentication check that restricts account token sharing to trusted Microsoft apps. The single line—setIsDebugMode(true)—remained in shipping code across all affected applications, allowing any malicious app installed on the same device to request and receive signed-in user tokens without triggering passwords, login screens, or permission prompts.
Researchers Yanir Tsarimi and Ofek Levin from Enclave Security discovered the vulnerability, which they designated FlagLeft. The flaw existed in a shared Microsoft SDK, propagating the same security hole across multiple applications. Microsoft Teams shipped with the debug flag correctly set to false and remained unaffected, indicating the issue resulted from an implementation mistake rather than intentional design.
FOCI Tokens Provide Long-Term Access
The tokens exposed by this vulnerability are FOCI (Family of Client IDs) refresh tokens, which Microsoft uses to enable single sign-on across its application family. These tokens can be refreshed and reused over extended periods, and the resulting authentication traffic appears routine in system logs, making detection extremely difficult. Once obtained, these tokens grant attackers the ability to read email, access files, browse calendars, and send messages as the compromised user with no visible indication to the victim.
Enclave built a functional proof-of-concept demonstrating token extraction through an unverified third-party app and successfully used the stolen tokens to access email. Microsoft classifies these vulnerabilities as local spoofing flaws under improper access control (CWE-284), meaning a malicious application already present on the device is the only prerequisite for exploitation.
The vulnerability existed because Microsoft 365 apps legitimately share account access by design—signing into Word automatically provides access to PowerPoint. The handoff mechanism is supposed to verify the requesting application's identity and reject non-Microsoft apps, but the debug flag completely bypassed this verification.
Four CVEs Issued, Two Apps Remain Unassigned
Microsoft issued four CVEs on May 12, 2026, all classified as spoofing vulnerabilities. CVE-2026-41100 covers Microsoft 365 Copilot with a CVSS score of 4.4. CVE-2026-41101 addresses Word with a score of 7.1. CVE-2026-41102 covers PowerPoint, also at 7.1. CVE-2026-42832 addresses Excel with the highest severity rating of 7.7. Despite Enclave reporting identical flaws in Loop and OneNote, these applications did not receive separate CVE assignments in the May patch batch.
The National Vulnerability Database lists the patched Word build for Android as version 16.0.19822.20190, with all earlier versions affected. Microsoft deployed fixes for the other applications through the same Google Play update cycle. No vulnerabilities in Microsoft's May Patch Tuesday release were listed as publicly known or actively exploited at the time of disclosure, and no public evidence exists indicating the flaw was leveraged before patches became available.
Immediate Action Required
Organizations running Microsoft 365 Android applications must immediately update Word, PowerPoint, Excel, Microsoft 365 Copilot, Loop, and OneNote through Google Play. Security teams managing Android device fleets should push updates through mobile device management systems and verify all devices are running builds at or above version 16.0.19822.20190.
The update closes the vulnerability but does not retroactively invalidate tokens that attackers may have already extracted. FOCI refresh tokens survive app updates and continue functioning after patches are applied.
Token Revocation Essential for Compromised Devices
For accounts on devices that ran vulnerable builds alongside untrusted applications, updating alone provides insufficient protection. Organizations must revoke refresh tokens and force fresh sign-ins for potentially compromised accounts. This step is critical because FOCI tokens outlive application updates—stolen tokens remain valid even after the security hole is closed.
Security teams should prioritize devices where users had both Microsoft 365 apps and third-party applications installed, particularly devices outside strict MDM control or those with sideloaded apps. Review Azure AD sign-in logs for accounts accessing Microsoft services from Android devices during the vulnerability window. Look for anomalous token refresh patterns or unexpected geographic locations that might indicate stolen tokens in active use.
Supply Chain Risk in Shared SDKs
This incident highlights supply chain risk within software development kits. Because the vulnerable code existed in a shared Microsoft SDK, the same security flaw propagated across six separate applications, multiplying the attack surface. Organizations building mobile applications should audit shared libraries and SDKs for debug flags, test modes, or development features that might remain active in production builds.
- Implement automated build pipeline checks that flag debug mode settings in production code
- Maintain separate SDK versions for development and production with compile-time enforcement
- Conduct pre-release security reviews specifically examining authentication bypass mechanisms
- Monitor for applications requesting tokens without corresponding user authentication events
- Establish token refresh anomaly detection to identify potential stolen credential usage
Detection and Response Considerations
Detection of this vulnerability's exploitation presents significant challenges. Because stolen FOCI tokens generate authentication traffic that appears legitimate in logs, distinguishing between normal user activity and attacker access requires correlation with device posture and application installation data. Organizations with mobile threat defense solutions should review alerts for applications attempting unusual inter-process communication with Microsoft 365 apps.
For incident response teams investigating potential compromise, focus on accounts where Microsoft 365 mobile apps were active on devices with elevated risk profiles—rooted devices, devices with unknown app stores enabled, or devices flagged for policy violations. Token theft leaves minimal forensic evidence on the device itself, so analysis must center on authentication logs and unusual access patterns in Microsoft 365 services. Given the tokens' long-lived nature and the vulnerability's extended presence in production code, assume wider exposure than current evidence suggests and implement defensive token rotation across high-value accounts.
Questions about your exposure?
RedEye Security provides assessments for organizations that need to understand their real risk.
Talk to us