May 2026: Microsoft Office Click-To-Run Elevation of Privilege Vulnerability
CVE-2026-40420 Published on May 12, 2026

Microsoft Office Click-To-Run Elevation of Privilege Vulnerability
Improper access control in Microsoft Office Click-To-Run allows an authorized attacker to elevate privileges locally.

Vendor Advisory NVD

Weakness Type

What is an Authorization Vulnerability?

The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CVE-2026-40420 has been classified to as an Authorization vulnerability or weakness.

Products Associated with CVE-2026-40420

Want to know whenever a new CVE is published for Microsoft products? stack.watch will email you.

Microsoft Office 2019

Microsoft 365 Apps

Microsoft Office 2021

Microsoft Office 2024

Affected Versions

Microsoft 365 Apps for Enterprise:

Version 16.0.1 and below https://aka.ms/OfficeSecurityReleases is affected.

Microsoft Office 2019:

Version 19.0.0 and below https://aka.ms/OfficeSecurityReleases is affected.

Microsoft Office LTSC 2021:

Version 16.0.1 and below https://aka.ms/OfficeSecurityReleases is affected.

Microsoft Office LTSC 2024:

Version 16.0.0 and below https://aka.ms/OfficeSecurityReleases is affected.

May 2026: Microsoft Office Click-To-Run Elevation of Privilege VulnerabilityCVE-2026-40420 Published on May 12, 2026

Weakness Type

What is an Authorization Vulnerability?

Products Associated with CVE-2026-40420

Affected Versions

May 2026: Microsoft Office Click-To-Run Elevation of Privilege Vulnerability
CVE-2026-40420 Published on May 12, 2026