You are using an out of date browser. It may not display this or other websites correctly. You should upgrade or use an alternative browser.
cve-2026-26149
About this tag
CVE-2026-26149 is a vulnerability in Microsoft Power Apps that requires user interaction to exploit, meaning a victim must open or interact with a malicious canvas app for the attack to succeed. This makes phishing and social engineering the primary attack vectors rather than silent exploitation. The vulnerability does not require elevated privileges, as indicated by a low privileges required (PR:L) rating. Discussions on WindowsForum cover the mechanics of this user-assisted trust abuse, emphasizing that the risk is real but contingent on user behavior. Understanding CVE-2026-26149 helps users recognize the importance of cautious interaction with Power Apps and the role of social engineering in modern threats.
In practical terms, UI:R means this vulnerability is not a fully remote, drive-by issue that the attacker can trigger on their own. A victim has to do something first — in this case, open, load, or otherwise interact with the malicious Power Apps canvas app — before the exploit path can succeed...