Main Vulnerability Database SB20260414131

SB20260414131 - Security feature bypass in Microsoft Power Apps

Published: April 14, 2026

Security Bulletin ID SB20260414131

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Improper Neutralization of Escape, Meta, or Control Sequences (CVE-ID: CVE-2026-26149)

CWE-ID: CWE-150 - Improper Neutralization of Escape, Meta, or Control Sequences

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to improper neutralization of escape, meta, or control sequences in Microsoft Power Apps. A remote user can bypass the security warning dialog that is meant to clearly inform users when an app is attempting to open an external protocol.

Remediation

Install update from vendor's website.

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26149