Improper access control in M365 Copilot

CVE-2026-41100 is an improper access control flaw in Microsoft 365 Copilot for Android that Microsoft describes as enabling an authorized attacker to perform local spoofing. The published CVSS and NVD CPE data narrow this hard: attack vector is local, privileges required are low, user interaction is none, and the affected Android app versions are those before 16.0.19822.20190; that fixed floor is an inference from NVD's affected-version range.

Microsoft's MEDIUM 4.4 rating is directionally fair in a vacuum, but in real enterprise operations this behaves more like LOW patch priority. The exploit chain already assumes attacker presence on the handset or a malicious app running in the user's context, the blast radius is mostly one user on one Android device, there is no public exploitation evidence, no KEV listing, and the EPSS signal is effectively floor noise.

Why this verdict

• Downgrade for attacker position: AV:L means the adversary must already be on the Android device or have physical/local access; this is not reachable by anonymous remote attackers.
• Downgrade for prerequisite stacking: PR:L implies an already authorized or low-privileged context, which compounds the post-compromise nature of the chain.
• Downgrade for exposure population: only Android users running the Microsoft 365 Copilot app and still below the fixed build are in scope, which is a much smaller slice than a server-side Microsoft flaw.
• Downgrade for weak threat signal: no KEV listing, no public exploitation evidence, no public PoC found, and user-supplied EPSS is near zero.
• Residual reason it is not IGNORE: it can still affect trust and content integrity on managed mobile endpoints, especially for executives or high-value users who rely on Copilot workflows.

Why not higher?

There is no unauthenticated remote path, no network-reachable service, and no evidence this scales across tenants or can be mass-scanned from the internet. Even if the spoofing impact is real, the chain begins after the attacker has already landed on the device, which is a major downward pressure on enterprise patch urgency.

Why not lower?

This is still a real vendor-patched security flaw in a widely branded Microsoft productivity app, not mere informational noise. If your mobile fleet includes high-value users, bring-your-own-device exceptions, or weak app-control policy, local spoofing inside a trusted work app still deserves cleanup and verification.

1. Inventory the Android app fleet — Use Intune, your EMM, or Play managed app telemetry to identify installations of com.microsoft.office.officehubrow below 16.0.19822.20190. For a LOW verdict there is no fixed mitigation SLA; treat this as backlog hygiene and get visibility in the next normal mobile-app governance cycle.
2. Force managed app updates — Require the fixed Microsoft 365 Copilot for Android build through managed Google Play or equivalent MDM controls so stragglers age out naturally. For this severity there is no SLA, but do not leave unmanaged long-tail versions drifting indefinitely.
3. Tighten mobile app trust — Block sideloading where possible, enforce Play Protect, and keep device compliance, MAM, and Conditional Access aligned so a local compromise does not easily become account abuse. On a LOW issue this is preventive hygiene rather than an emergency compensating action.
4. Prioritize high-value users — If executives, legal, finance, or admins use the app on Android, move them to the front of the update queue because spoofing against trusted productivity workflows is more consequential there. That is risk-based triage, not a severity upgrade.

Run this from an auditor workstation with Android Platform Tools (adb) installed and the target device connected via USB or enterprise debugging workflow. Invoke it as python3 check_cve_2026_41100.py --serial <device_serial> or let it use the single connected device; it needs no root, but it does need permission to query package metadata over adb.

#!/usr/bin/env python3\n# Check Microsoft 365 Copilot for Android version against CVE-2026-41100 fixed build\n# Usage: python3 check_cve_2026_41100.py [--serial DEVICE] [--package com.microsoft.office.officehubrow] [--fixed 16.0.19822.20190]\n# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN\n\nimport argparse\nimport re\nimport subprocess\nimport sys\n\nDEFAULT_PACKAGE = 'com.microsoft.office.officehubrow'\nDEFAULT_FIXED = '16.0.19822.20190'\n\ndef run(cmd):\n    try:\n        p = subprocess.run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, check=False)\n        return p.returncode, p.stdout, p.stderr\n    except FileNotFoundError:\n        print('UNKNOWN: adb not found in PATH')\n        sys.exit(2)\n\ndef version_tuple(v):\n    parts = re.findall(r'\\d+', v or '')\n    if not parts:\n        return None\n    return tuple(int(x) for x in parts)\n\ndef compare_versions(a, b):\n    ta = version_tuple(a)\n    tb = version_tuple(b)\n    if ta is None or tb is None:\n        return None\n    max_len = max(len(ta), len(tb))\n    ta = ta + (0,) * (max_len - len(ta))\n    tb = tb + (0,) * (max_len - len(tb))\n    if ta < tb:\n        return -1\n    if ta > tb:\n        return 1\n    return 0\n\ndef main():\n    ap = argparse.ArgumentParser(description='Check CVE-2026-41100 exposure on an Android device via adb')\n    ap.add_argument('--serial', help='adb device serial')\n    ap.add_argument('--package', default=DEFAULT_PACKAGE, help='Android package name')\n    ap.add_argument('--fixed', default=DEFAULT_FIXED, help='Fixed version floor')\n    args = ap.parse_args()\n\n    adb = ['adb']\n    if args.serial:\n        adb += ['-s', args.serial]\n\n    rc, out, err = run(adb + ['get-state'])\n    if rc != 0 or 'device' not in out:\n        print('UNKNOWN: no adb device available or unauthorized')\n        sys.exit(2)\n\n    rc, out, err = run(adb + ['shell', 'dumpsys', 'package', args.package])\n    if rc != 0 or not out.strip():\n        print(f'UNKNOWN: package {args.package} not found or package query failed')\n        sys.exit(2)\n\n    m = re.search(r'versionName=([^\\s]+)', out)\n    if not m:\n        print(f'UNKNOWN: could not determine installed version for {args.package}')\n        sys.exit(2)\n\n    installed = m.group(1).strip()\n    cmpv = compare_versions(installed, args.fixed)\n    if cmpv is None:\n        print(f'UNKNOWN: unable to compare installed version {installed} to fixed {args.fixed}')\n        sys.exit(2)\n\n    if cmpv < 0:\n        print(f'VULNERABLE: {args.package} installed version {installed} is older than fixed {args.fixed}')\n        sys.exit(1)\n    else:\n        print(f'PATCHED: {args.package} installed version {installed} is at or above fixed {args.fixed}')\n        sys.exit(0)\n\nif __name__ == '__main__':\n    main()\n

Sources

1. NVD entry for CVE-2026-41100
2. Microsoft Security Update Guide advisory
3. CVE.org record
4. CISA Known Exploited Vulnerabilities catalog
5. FIRST EPSS data documentation
6. FIRST EPSS API documentation
7. Microsoft Support: install and set up the Microsoft 365 Copilot app on Android
8. Google Play listing for Microsoft 365 Copilot