Full Report
A development flag left switched on in production builds of several Microsoft 365 Android apps disabled the check that limits account-token sharing to trusted Microsoft apps. Any other app on the same phone could ask for the signed-in user's token and get it, then read email, open files, browse the calendar, and send messages as that user. No password, no login screen, no permission prompt.
Analysis Summary
# Vulnerability: FlagLeft - Microsoft 365 Android Account Token Theft
## CVE Details
- **CVE ID:**
- CVE-2026-41100 (Copilot)
- CVE-2026-41101 (Word)
- CVE-2026-41102 (PowerPoint)
- CVE-2026-42832 (Excel)
- **CVSS Score:** 4.4 to 7.7 (Medium to High)
- **CWE:** CWE-284: Improper Access Control (Spoofing)
## Affected Systems
- **Products:** Microsoft Word, PowerPoint, Excel, Microsoft 365 Copilot, Microsoft Loop, and OneNote for Android.
- **Versions:** Builds earlier than 16.0.19822.20190.
- **Configurations:** Production builds of the software where a development SDK flag was erroneously enabled.
## Vulnerability Description
Dubbed **"FlagLeft"** by researchers, this flaw stems from a development flag—`setIsDebugMode(true)`—left active in a shared Microsoft SDK used by multiple Android applications. Under normal conditions, Microsoft apps use Family Refresh Tokens (FOCI) for Single Sign-On (SSO), which requires a check to ensure tokens are only shared with trusted Microsoft-signed apps. The debug flag disabled this safety check, allowing any malicious third-party application on the same device to request and receive a valid FOCI token without user interaction or permission prompts.
## Exploitation
- **Status:** PoC available (demonstrated by Enclave researchers); no known exploitation in the wild at the time of reporting.
- **Complexity:** Low
- **Attack Vector:** Local (Requires a malicious app to be installed on the same device).
## Impact
- **Confidentiality:** High (Full access to emails, files, calendars, and messages).
- **Integrity:** High (Ability to send messages and modify files as the authenticated user).
- **Availability:** Low (Primary impact is data theft and account impersonation).
## Remediation
### Patches
- Update all affected Microsoft 365 apps via the Google Play Store to version **16.0.19822.20190** or later.
### Workarounds
- **Revoke Active Tokens:** Because FOCI refresh tokens can persist after an app update, security administrators should revoke active refresh tokens for high-risk users to force a fresh, secure login.
- **MDM Enforcement:** Use Mobile Device Management (MDM) to ensure all corporate-enrolled Android devices are running the patched versions.
## Detection
- **Indicators of Compromise:** Unusual activity from third-party apps requesting Microsoft account access; however, exploitation is largely silent on the user's end.
- **Detection methods:** Audit OAuth sign-in logs for unusual patterns, though the resulting traffic typically appears routine. Administrators should use MDM tools to identify and flag devices running versions older than the specified patch level.
## References
- **Enclave Disclosure:** hxxps[://]enclave[.]ai/blog/flagleft-microsoft-365-android-forgotten-flag-account-takeover
- **MSRC Update Guide:** hxxps[://]msrc[.]microsoft[.]com/update-guide/vulnerability/CVE-2026-41101
- **Source Article:** hxxps[://]thehackernews[.]com/2026/06/microsoft-365-android-apps-let-any-app.html