A critical security flaw has been identified in several Microsoft 365 Android applications, including Word, PowerPoint, Excel, Microsoft 365 Copilot, Microsoft Loop, and OneNote. This vulnerability, dubbed FlagLeft by cybersecurity firm Enclave, arises from a development flag inadvertently left active in production versions of these apps. This oversight effectively disabled the security mechanism that restricts account-token sharing to trusted Microsoft applications, thereby exposing user data to potential unauthorized access.
Understanding the Vulnerability
The core of this issue lies in the setIsDebugMode(true) flag, which was mistakenly left enabled in the production builds of the affected applications. This flag’s activation bypassed the standard verification process that ensures only trusted Microsoft applications can access shared account tokens. Consequently, any application installed on the same device could request and obtain the signed-in user’s token without triggering a password prompt, login screen, or permission request. This unauthorized access granted malicious applications the ability to read emails, open files, browse calendars, and send messages on behalf of the user.
Scope of the Impact
The affected applications—Word, PowerPoint, Excel, Microsoft 365 Copilot, Microsoft Loop, and OneNote—collectively account for billions of downloads worldwide. Notably, Microsoft Teams was not impacted, as it shipped with the debug flag correctly set to false. This discrepancy suggests that the issue was likely an oversight rather than a deliberate design choice.
Technical Details
Microsoft 365 applications are designed to facilitate seamless account access across different apps. For instance, signing into Word should automatically grant access to PowerPoint without requiring additional authentication. This process relies on the Family of Client IDs (FOCI) tokens, which are refresh tokens used for single sign-on across Microsoft’s suite of applications. These tokens can be refreshed and reused over extended periods, and their associated network traffic typically appears routine, making unauthorized access difficult to detect.
Enclave’s security researchers, Yanir Tsarimi and Ofek Levin, discovered that the debug flag’s activation led to the omission of the verification check that distinguishes between trusted and untrusted applications. This flaw resided within a shared Microsoft Software Development Kit (SDK), causing the vulnerability to manifest across multiple applications.
Proof of Concept and Exploitation
Enclave successfully developed a proof-of-concept exploit demonstrating how an unverified third-party application could extract tokens and access user emails without detection. Microsoft has classified these vulnerabilities as local spoofing flaws, indicating that exploitation requires the presence of a malicious application already installed on the device.
Microsoft’s Response and CVEs
In response to the discovery, Microsoft issued patches and assigned the following Common Vulnerabilities and Exposures (CVEs) on May 12:
– CVE-2026-41100 for Microsoft 365 Copilot (CVSS score: 4.4)
– CVE-2026-41101 for Word (CVSS score: 7.1)
– CVE-2026-41102 for PowerPoint (CVSS score: 7.1)
– CVE-2026-42832 for Excel (CVSS score: 7.7)
While the same flaw was reported in Microsoft Loop and OneNote, separate CVEs were not issued for these applications in the May batch. The patched version for Word on Android is 16.0.19822.20190, with earlier versions being vulnerable. Updates for the other applications were distributed through Google Play Store updates.
Mitigation Steps
To protect against potential exploitation, users are strongly advised to update the affected applications—Word, PowerPoint, Excel, Microsoft 365 Copilot, Microsoft Loop, and OneNote—via the Google Play Store. Security teams managing Android devices should ensure that all devices are running versions later than 16.0.19822.20190.
It’s important to note that while the patch addresses the vulnerability, it does not invalidate tokens that may have already been compromised. FOCI refresh tokens persist beyond app updates, so for accounts on devices that previously ran vulnerable builds alongside untrusted applications, it is advisable to revoke existing refresh tokens and require fresh sign-ins to ensure security.
Conclusion
The FlagLeft vulnerability underscores the critical importance of rigorous quality assurance processes in software development, especially for applications with extensive user bases. Even a single line of code left unchecked can lead to significant security risks. Users and organizations must remain vigilant, promptly applying updates and monitoring for any signs of unauthorized access to safeguard sensitive information.
