Apr 2026: Microsoft Power Apps Desktop Client Spoofing Vulnerability
CVE-2026-26149 Published on April 14, 2026
Microsoft Power Apps Desktop Client Spoofing Vulnerability
Improper neutralization of escape, meta, or control sequences in Microsoft Power Apps allows an authorized attacker to perform spoofing over a network.
Weakness Type
Improper Neutralization of Escape, Meta, or Control Sequences
The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component. As data is parsed, an injected/absent/malformed delimiter may cause the process to take unexpected actions.
Products Associated with CVE-2026-26149
stack.watch emails you whenever new vulnerabilities are published in Microsoft Power Apps or Microsoft Power Apps Desktop Client. Just hit a watch button to start following.
Affected Versions
Microsoft Power Apps Desktop Client:- Version 1.0.0 and below 3.26032.10.0 is affected.