A debug flag left active in six Microsoft 365 Android apps allowed another installed app on the same device to request account tokens without user interaction.
A debug flag left active in production code allowed another installed app on the same Android device to request Microsoft account tokens from Word, Excel, PowerPoint, OneNote, Microsoft Loop, and Microsoft 365 Copilot for Android without user interaction, according to research Enclave publicly disclosed on June 2, 2026.
Microsoft patched the flaws and issued CVEs on May 12, 2026, but the technical details became public on June 2, when Enclave published its research and SecurityWeek reported on the findings. Microsoft Teams was not affected, and no in-the-wild exploitation has been publicly confirmed, but the disclosure gives IT teams a fresh reason to verify Android app updates and review Microsoft 365 mobile app governance.
Microsoft 365 apps on Android share authentication tokens so users do not have to sign in again when moving from Word to Excel or PowerPoint. That handoff should stay within trusted Microsoft apps. The issue also comes as Microsoft is expanding its Android-based enterprise ambitions with Project Solara, making mobile trust boundaries more important for IT teams to understand.
In a public research post, Enclave traced the issue to setIsDebugMode(true), a production debug setting that skipped the check blocking untrusted apps from receiving tokens. Because the vulnerable code sat inside a shared Microsoft SDK, the misconfiguration appeared across all six affected apps.
Enclave built a proof of concept using an unverified third-party app that pulled tokens from installed Microsoft 365 apps and read email from the account without a password, login screen, or suspicious Android permission prompt. SecurityWeek described a malicious update to an already installed Android app as one possible attack path; in that scenario, the app could request Microsoft tokens in the background and transmit them without a visible prompt.
Depending on the app context, exposed tokens could allow access to email, files, calendar information, documents, or communications. Enclave identified them as FOCI, or Family of Client IDs, tokens, a token family designed for cross-app access within Microsoft’s ecosystem.
The Copilot connection also matters as Microsoft’s AI tools handle sensitive workflows, including health-related use cases that raise separate governance questions.
NVD records list CVE-2026-41100 for M365 Copilot, CVE-2026-41101 for Word, CVE-2026-41102 for PowerPoint, and CVE-2026-42832 for Microsoft Office, including Word and Excel for Android in affected software configurations. Most fixes were distributed through Patch Tuesday; SecurityWeek reported that the PowerPoint fix was pushed to Google Play the same day.
IT teams should verify patched builds of the affected apps, enforce Play Store updates through mobile device management where possible, review third-party app installation policies, and examine sign-in activity for higher-risk users who ran affected versions before May 12, 2026. Exposure is likely higher where unmanaged Android devices can access Microsoft 365 while allowing broad third-party app installation.
Recent Microsoft 365 incidents have also shown why IT teams need fallback plans when collaboration tools break, as seen in the Microsoft Teams file-access outage.
Android app governance now belongs alongside Microsoft 365 identity controls, especially when work accounts run on unmanaged or loosely managed devices.
Also read: A recent Windows Server vulnerability shows why Microsoft patch verification remains a priority for enterprise IT teams.
