// Microsoft 365HIGH
A debug flag (setIsDebugMode) left enabled in production code across Microsoft 365 Android apps allowed any co-installed application to silently steal Microsoft account tokens without user interaction. The vulnerability, dubbed FlagLeft, affected Word, PowerPoint, Excel, Microsoft 365 Copilot, Microsoft Loop, and OneNote apps, potentially exposing billions of Android users to account takeover. Microsoft patched all affected apps in May 2026 with CVE-2026-41100, CVE-2026-41101, and CVE-2026-41102 assigned.
- Microsoft 365 Android Apps Account Takeover Vulnerability Impact(opens in a new tab)
- Microsoft and LinkedIn: Cyber Security News ®’s Post(opens in a new tab)
// Get alerts for Microsoft 365