In practical terms, UI:R means this vulnerability is not a fully remote, drive-by issue that the attacker can trigger on their own. A victim has to do something first — in this case, open, load, or otherwise interact with the malicious Power Apps canvas app — before the exploit path can succeed. That makes phishing, social engineering, or lure-based delivery the most likely attack patterns rather than silent exploitation.
PR:L means the attacker does not need admin rights or elevated control, but they do need some basic level of access. For a Power Apps scenario, that usually translates to an attacker who can already create, publish, or share an app within whatever access they have been granted; they are not starting from zero, but they also are not an administrator. In CVSS terms, “Low” privileges are basic user capabilities, not powerful system-wide permissions.
So the combined meaning for CVE-2026-26149 is: the risk comes from an attacker with ordinary platform access who can plant a malicious app, then rely on a user to interact with it. That puts the vulnerability squarely in the category of conditional exploitation: the attacker needs a foothold, and the target must take an action. It is still serious, because social engineering and trusted business-app workflows often make user interaction realistic in enterprise environments.
For defenders, the important takeaway is that this is less about perimeter compromise and more about trust abuse inside the app ecosystem. Organizations should treat it as a user-assisted security feature bypass: review who can create and share Power Apps, restrict app distribution where possible, and warn users not to open unexpected apps or links, even when they appear to come from internal sources.
Source: MSRC Security Update Guide - Microsoft Security Response Center
Last edited:
