Six Microsoft 365 Android apps contain an identical flaw that could risk billions of downloads being compromised.
The findings, shared exclusively with SecurityWeek ahead of the expected public release of the research on Tuesday, were uncovered by Enclave, an AI-powered exploitable bug hunter. It is nothing more than a single debug flag being left in the production code of Word, PowerPoint, Excel, Microsoft 365 Copilot, Microsoft Loop and OneNote for Android. Someone left debug mode enabled in production: – set IsDebugMode(true). This was enabled across all six apps, but was not enabled in other Microsoft (MS) apps such as Teams. These were not affected by any consequent potential exploitation attempt.
The effect of such debug flags varies. Sometimes the purpose is simply to affect logging or to test output. “This one changed the behavior around account access token sharing,” explains Enclave reporting its findings. “With debug mode enabled, the protection that should have blocked untrusted apps from receiving tokens was skipped.”
Microsoft’s intention is to allow easy passage for its authorized customers from one MS app to another MS app on the same device, without requiring new login authorization from the Android user each time. So, the code in the apps is designed to pass access tokens to the other MS apps – but crucially, not do so for any other Android app. The effect of this debug flag omitted the restriction on non-MS apps, and the result was that Android MS access tokens were handed to any Android app that requested them.
To exploit this flaw, an attacker could write code requesting MS access. It could be a separate app or code within a doctored Android app. The only requirement would be to get that app onto as many Android devices as possible.
“The attacker could just write a snippet that is 15 lines of code. It just seeks access to the MS app and is given the token,” explains Yanir Tsarimi, co-founder and CPO at Enclave. “It doesn’t get any simpler than that, because it’s just a feature that is supposed to be there.”
The flaw is not in handing over the access token, but in leaving a debug line that limits this handover to a request from the other MS apps installed on the Android device. “It was just a simple mistake that in this case is very painful.” One simple mistake potentially impacted apps totaling billions of downloads.
Tsarimi gave a potential exploitation scenario. “Suppose you are a mobile device game developer with auto update and 10,000 users. You write the malicious exploit code seeking access to the affected MS apps and include it within an update that gets delivered to your 10,000 users. Auto update installs it. The malicious code stealthily requests access to any MS app on the user’s Android, receives the token and quietly sends it back to you.”
In such a case, the victim may see nothing and be aware of nothing – but the attacker gets the token. “The owner of the app can do whatever they want with those tokens,” adds Tsarimi. “It’s essentially a supply chain attack, just from a different direction.”
The user sees nothing, confirms the report. “But from the attacker’s side, those tokens were enough to act through the Microsoft account and access the app that had just handed them over. We confirmed the issue in [all six of the MS] Android apps.”
Potential misuse of the tokens is huge. They are Microsoft FOCI tokens that could be reused and refreshed over long periods without anyone noticing. “Any attacker-controlled app could gain full access to Microsoft account data exposed through the affected app context,” warns Enclave. “This could be emails, files, documents, communications, and calendar information. It could also allow the attacker to read sensitive information, modify documents, or send communications through the access exposed by the token.”
The firm reported the issues to Microsoft, and all were quickly confirmed. Microsoft fixed the flaws and issued CVE numbers CVE-2026-41100, -41101 and -41102 on May 12. Relevant patches were distributed through the firm’s Patch Tuesday mechanism, other than -41102 (the vulnerability in PowerPoint for Android) which was fixed and pushed as a patched build to the Google Play Store also on May 12.
Android users should now be safe, provided their patching is up to date.
“We reported the issues to MSRC, and all of them were confirmed and fixed,” concludes Enclave. “But the important part is this: a development setting reached production in several major apps and changed the behavior of a system protecting account access. That should be hard to do by accident. Here, it was not hard enough.”
Related: New BTMOB Android Malware Enables Full Device Takeover
Related: Critical Remote Code Execution Vulnerability Patched in Android
Related: Google Adjusts Bug Bounties: Chrome Payouts Drop as Android Rewards Rise Amid AI Surge
Related: Microsoft Finds Vulnerability Exposing Millions of Android Crypto Wallet Users
