Microsoft Teams for Android Vulnerability Allows Attackers to Disclose Sensitive Data

Microsoft has disclosed a significant security vulnerability in Microsoft Teams for Android that could allow an authenticated attacker to expose sensitive information over a network. The flaw, tracked as CVE-2026-42835, was officially released on June 9, 2026, and has been rated Important in severity.

The vulnerability stems from improper neutralization of special elements in output used by a downstream component, classified under CWE-74 (Injection).

According to Microsoft’s advisory, the weakness enables an authorized attacker to disclose information remotely, without requiring any user interaction.

The flaw carries a CVSS 3.1 base score of 8.1 (temporal score: 7.1), reflecting its considerable risk. The attack vector is Network (AV:N), confirming the vulnerability is remotely exploitable over the internet.

With an attack complexity of Low (AC:L), an attacker does not need advanced knowledge of the target system and can achieve repeatable exploitation success with a crafted payload against the vulnerable component.

Microsoft confirmed that a successful exploit could allow an attacker to read small portions of heap memory. While the scope of exposed data may appear limited, heap memory can contain sensitive runtime information, including authentication tokens, session data, or cached credentials, making even partial disclosure a serious concern in enterprise environments.

The CVSS metrics indicate a high impact on both Confidentiality and Availability, with no integrity impact. The Privileges Required metric is rated Low, meaning any authenticated user, including low-privileged accounts, could potentially trigger the vulnerability.

Microsoft’s exploitability assessment classifies this vulnerability as Exploitation Less Likely. The flaw has not been publicly disclosed and has not been observed in active exploitation at the time of publication. Exploit code maturity is listed as Unproven, and an official fix is already available.

Microsoft has released a security update for Microsoft Teams for Android, available through the Google Play Store. Users and enterprise administrators are strongly advised to update the application immediately via the official Microsoft Teams listing on Google Play.

Organizations relying on Teams for internal communications should prioritize this update, especially given the app’s widespread use in handling sensitive business conversations and file sharing.

The vulnerability was responsibly disclosed by Ofek Levin of Enclave through Microsoft’s coordinated vulnerability disclosure program.

The post Microsoft Teams for Android Vulnerability Allows Attackers to Disclose Sensitive Data appeared first on Cyber Security News.