HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-42835Published Modified CNA microsoft

CVE-2026-42835: Microsoft Teams for Android Information Disclosure Vulnerability

Improper neutralization of special elements in output used by a downstream component ('injection') in Microsoft Teams for Android allows an authorized attacker to disclose information over a network.

Metrics

CVSS v3.1
8.1
Severity
HIGH
Fixed in
1.0.76.2026111302
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An injection vulnerability in Microsoft Teams for Android allows an authenticated attacker to trigger information disclosure and cause service disruption over the network. The CVSS vector (AV:N/AC:L/PR:L/UI:N) indicates the attack is reachable over the network, requires only a low-privilege account, and needs no victim interaction. Successful exploitation reads sensitive data exposed by the app and crashes or disrupts the Teams service for affected users. A patched-image rebuild at version 1.0.76.2026111302 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-42835 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication via continuous ingestion from upstream feeds including the Microsoft Security Response Center advisory. Coverage extends to custom-built images that bundle or layer on Microsoft Teams for Android components.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 8.1 (HIGH) and weighting it against each environment's compliance policy to determine urgency. Triage routing is available to direct findings to the appropriate team inbox within each customer organization based on registry ownership and policy configuration.

Available
Patch

A patched-image rebuild at version 1.0.76.2026111302 becomes available on HarborGuard for any environment where an affected image version (below 1.0.76.2026111302, from 1.0.0) is detected. For customers who opt into auto-remediation, HarborGuard is capable of executing the rebuild, running a regression test suite, and opening a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the vulnerable Teams for Android service over the network; the CVSS vector specifies AV:N, meaning no local or physical access is needed but the service must be network-exposed.

  • AuthenticationRequired

    A valid account is needed to exploit this vulnerability, but any low-privilege user account is sufficient; CVSS PR:L means no administrative rights are required.

  • Victim interactionNot required

    The attacker does not need to trick or involve any other user; the exploit can be executed entirely by the attacker without social engineering or user action (UI:N).

  • Attack complexityDetail

    Exploitation is reliable and condition-free; CVSS AC:L indicates no race conditions, special memory layout, or environmental prerequisites are required to land the attack.

Blast Radius

  • Reads sensitive information exposed by the Teams for Android app, which may include messages, session tokens, or user data transiting the affected component (C:H).
  • Crashes or severely degrades the Teams for Android service for affected users, interrupting availability of the application (A:H).
  • No data modification or write access is granted by this vulnerability; integrity of stored data is not directly affected (I:N).
  • The scope is contained to the vulnerable application instance; lateral movement or host-level compromise is not indicated by this vulnerability alone (S:U).

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-42835 activates within minutes of CVE publication for any customer image containing a vulnerable version of Microsoft Teams for Android (below 1.0.76.2026111302). For customers who opt into auto-remediation, HarborGuard can rebuild the image at the fixed version, run regression tests, and open a pull request against affected workloads; for HIGH-severity issues, median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the finding is routed to the appropriate team inbox with CVSS scoring and policy weighting attached so engineers can prioritize and act without additional research.

See how HarborGuard automates this

Fix available

1.0.76.2026111302
Patch commits
Affected packages
  • Microsoft / Microsoft Teams for Android
    < 1.0.76.2026111302 (from 1.0.0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C
References