Critical

Spoofing / security warning bypass in Microsoft Power Apps external protocol links

IdentifiersCVE-2026-26149CWE-150· Improper Neutralization of Escape,…

CVE-2026-26149 is an improper neutralization of escape, meta, or control sequences vulnerability in Microsoft Power Apps. According to the provided advisory context, the flaw allows an authorized attacker to bypass a security feature over a network. Specifically, successful exploitation can bypass the security warning dialog shown for external protocol links in Power Apps canvas apps. By manipulating how external protocol link content is handled, an attacker can cause users to be misled about the nature of the action being triggered, resulting in spoofing and unintended external protocol invocation on the user’s device. Microsoft assessed the issue as Important, with reporting also describing it as a high-severity Power Apps flaw with a CVSS score of 9.0.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an attacker to bypass the external protocol security warning dialog in Microsoft Power Apps, enabling spoofing of link behavior and misleading users into launching unintended external protocol handlers on their device. The advisory context further indicates this may enable interaction with other tenants' applications and content. The primary impact is security feature bypass and spoofing, with potential downstream access to external applications or content via user-triggered protocol handling rather than direct code execution.

Mitigation

If you can’t patch tonight, do this now.

Until full remediation is confirmed, avoid interacting with untrusted or suspicious Power Apps canvas apps, especially apps that present or trigger external protocol links. Restrict exposure to untrusted app content, review apps that invoke external protocol handlers, and follow Microsoft's temporary workaround guidance where available. Organizations should monitor Microsoft advisory updates for any revised mitigation or final fix status.

Remediation

Patch, then assume compromise.

Apply Microsoft's available fix for CVE-2026-26149 in Microsoft Power Apps. The provided advisory context states that Microsoft had made a temporary fix/workaround available at the time of publication and that customers should implement the vendor-provided remediation and monitor Microsoft for any final or updated service-side fix guidance. Because Power Apps is a Microsoft-managed platform, remediation may be delivered by the vendor rather than through a traditional customer-installed patch.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Microsoft CorporationPower Appsapplication

Microsoft CorporationPower Apps Desktop Clientapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

zeropath blogNews

Apr 23, 2026

Brief Summary: Microsoft Power Apps CVE-2026-32172 Uncontrolled Search Path Leading to Remote Code Execution - ZeroPath Blog | ZeroPath

A high-severity Microsoft Power Apps vulnerability involving improper neutralization of escape, meta, or control sequences.

cyberscoopNews

Apr 14, 2026

Microsoft drops its second-largest monthly batch of defects on record | CyberScoop

A critical vulnerability affecting Microsoft Power Apps that Microsoft designated as less likely to be exploited.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-26149

NVD

nvd.nist.gov/vuln/detail/CVE-2026-26149

MITRE CWE · CWE-150

Improper Neutralization of Escape, Meta, or…

Vendor Advisory

msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26149