A significant vulnerability found in several Microsoft 365 Android applications allowed any app on a device to access sensitive user data, including emails, files, and calendar information, without requiring authentication. This critical mobile security vulnerability, dubbed “FlagLeft” by security researchers at Enclave, was caused by a development flag inadvertently left enabled in production builds, bypassing crucial security checks for account token sharing.
Microsoft has since released patches for the affected applications, and users are strongly advised to update their Microsoft 365 apps on Android to the latest versions.
Microsoft 365 Android Vulnerability Patched
The discovered flaw, which Enclave researchers Yanir Tsarimi and Ofek Levin identified, resided within a shared Microsoft SDK used across multiple applications. This meant the vulnerability impacted a broad array of widely used productivity tools, including Microsoft Word, PowerPoint, Excel, Microsoft 365 Copilot, Microsoft Loop, and OneNote. Collectively, these applications boast billions of downloads, highlighting the extensive potential reach of this security lapse.
In contrast, Microsoft Teams was reportedly not affected, as the relevant flag was set to ‘false’ in its production build. Enclave interprets this as an indication of an accidental oversight rather than a design choice, suggesting the issue stemmed from a coding error.
Microsoft 365 applications are designed to share account access seamlessly. For instance, signing into Word is intended to authenticate users across other Microsoft apps like PowerPoint without requiring a separate login. This process typically involves a verification step to ensure that only trusted Microsoft applications can request and receive these authentication tokens. However, the FlagLeft vulnerability circumvented this safeguard.
The root cause of the issue was a single line of code, setIsDebugMode(true), which was left enabled in the production code. This simple error effectively disabled the security check that normally limits account token sharing to authorized Microsoft applications. Consequently, any third-party application installed on the same Android device could potentially request and obtain the user’s signed-in token. This would grant unauthorized access to view emails, open files, browse calendar entries, and send messages impersonating the legitimate user, all without any visible login screens or permission prompts.
The tokens compromised were FOCI (Family of Accounts tokens) refresh tokens, which Microsoft utilizes for single sign-on (SSO) across its suite of applications. These tokens are designed for prolonged validity and can be refreshed and reused over extended periods. The traffic generated by these tokens often appears routine in system logs, making detection difficult from a user’s perspective.
Enclave successfully demonstrated a proof of concept, showcasing how a non-Microsoft application could illicitly acquire these tokens and subsequently access user emails. Microsoft has categorized these vulnerabilities as local spoofing flaws, meaning that an attacker would need to have already compromised the device with a malicious application to exploit them.
CVEs Issued for Microsoft 365 Android Flaws
Microsoft officially disclosed the vulnerability by issuing four Common Vulnerabilities and Exposures (CVEs) on May 12, 2026. All were classified as spoofing vulnerabilities under improper access control (CWE-284). The identified CVEs and their respective CVSS scores are: CVE-2026-41100 for Microsoft 365 Copilot (CVSS 4.4), CVE-2026-41101 for Word (CVSS 7.1), CVE-2026-41102 for PowerPoint (CVSS 7.1), and CVE-2026-42832 for Excel (CVSS 7.7).
Enclave also reported similar flaws in Microsoft Loop and OneNote; however, separate CVEs were not assigned for these applications in the May patch cycle. The National Vulnerability Database (NVD) lists version 16.0.19822.20190 as the patched build for Microsoft Word on Android, with earlier versions being susceptible. Other affected applications were similarly fixed through updates pushed via Google Play.
According to Microsoft’s May Patch Tuesday release notes, none of the vulnerabilities were publicly known or actively exploited at the time of the disclosures. There is currently no public evidence to suggest that this particular flaw was utilized by attackers prior to the implementation of the fix.
For users and organizations managing Android fleets, the immediate action required is to update the aforementioned Microsoft 365 applications from Google Play. Security teams should leverage Mobile Device Management (MDM) solutions to enforce these updates and ensure that devices are running builds later than 16.0.19822.20190. While the patches effectively close the security hole, they do not retroactively invalidate any tokens that might have already been compromised by an attacker.
FOCI refresh tokens have a lifespan that extends beyond application updates. Therefore, for accounts on devices that ran an older, vulnerable build in conjunction with potentially untrusted applications, it is recommended to revoke existing refresh tokens and prompt users to sign in again. This will ensure that new, secure tokens are issued, mitigating any lingering risks from potential token theft.
The next expected step is for Microsoft to continue monitoring for any residual impact and to further reinforce its development practices to prevent similar oversight in future updates. Users should remain vigilant and always apply software updates promptly to maintain optimal mobile security.