How is CVE-2026-45649 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network access to the device is required to trigger this vulnerability. Authentication (not-required): No account or credentials are required; the attacker can trigger the vulnerability without authenticating to any service or application. Victim interaction (required): The victim must perform some action, such as opening a crafted file or following a malicious link, for the exploit to succeed. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special environmental conditions, race conditions, or memory-layout knowledge.

What is the impact of CVE-2026-45649?

The attacker can read high-confidence sensitive data accessible to the Office application, including locally stored documents, cached credentials, or session tokens. The attacker can modify or forge content within the application, such as altering displayed document metadata or spoofing the apparent source of a file. Availability of the affected application and its data is not impacted by this vulnerability. Scope is limited to the affected application on the local device; there is no indication of lateral movement to other system components.

Back to search

HIGHCVE-2026-45649Published 2026-06-09Modified 2026-06-10CNA microsoft

CVE-2026-45649: Office for Android Spoofing Vulnerability

Improper access control in Office for Android allows an unauthorized attacker to perform spoofing locally.

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 3

HarborGuard Analysis

Synopsis

An improper access control vulnerability in Microsoft Office for Android (Excel, PowerPoint, and Word) allows a local attacker to perform spoofing attacks. The exploit requires no authentication but does require the victim to take some action; it is reached locally on the device rather than over a network. Successful exploitation allows the attacker to read sensitive data and tamper with content through spoofing, though availability is not affected. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle Office for Android components. Any image carrying an affected version of Microsoft Excel, PowerPoint, or Word for Android is flagged immediately.

Available

Triage

HarborGuard scores this finding at CVSS 7.1 (HIGH) and weights it against each customer environment's compliance policy to determine urgency and routing. The resulting alert is directed to the appropriate team inbox within each customer organization based on their configured policy.

Available

Patch

No fix version has been published upstream for this CVE. HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available automatically the moment Microsoft releases a fix. Customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads as soon as that upstream fix is published.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access to the device is required to trigger this vulnerability.
AuthenticationNot required
No account or credentials are required; the attacker can trigger the vulnerability without authenticating to any service or application.
Victim interactionRequired
The victim must perform some action, such as opening a crafted file or following a malicious link, for the exploit to succeed.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special environmental conditions, race conditions, or memory-layout knowledge.

Blast Radius

The attacker can read high-confidence sensitive data accessible to the Office application, including locally stored documents, cached credentials, or session tokens.
The attacker can modify or forge content within the application, such as altering displayed document metadata or spoofing the apparent source of a file.
Availability of the affected application and its data is not impacted by this vulnerability.
Scope is limited to the affected application on the local device; there is no indication of lateral movement to other system components.

How HarborGuard Handles This

Available on HarborGuard: this CVE is tracked continuously against all scanned images that include Microsoft Excel, PowerPoint, or Word for Android. Because no upstream fix version has been published, HarborGuard monitors the Microsoft advisory each ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. In the meantime, compensating controls available within HarborGuard include flagging affected images with a policy block that prevents promotion to production registries, applying network-policy isolation to restrict what the container can reach, and surfacing the finding for manual review in each team's queue. For customers with auto-remediation enabled, a rebuilt image, regression-test run, and a PR opened against affected workloads will be triggered immediately upon upstream fix publication, with median time from CVE publication to merged patch PR for high-severity issues around 90 minutes once a fix is available.

See how HarborGuard automates this

Affected packages

Microsoft / Microsoft Excel for Android
-
Microsoft / Microsoft PowerPoint for Android
-
Microsoft / Microsoft Word for Android
-

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C

References

Office for Android Spoofing Vulnerability

Metrics

Get notified