CVE-2026-32172 Microsoft Power Apps RCE Fully Fixed

Microsoft has disclosed CVE-2026-32172, a critical remote code execution (RCE) vulnerability in Microsoft Power Apps caused by an uncontrolled search path element. Still, it states the issue is already fully mitigated in the service with no customer action required.

CVE-2026-32172 is a remote code execution vulnerability in Microsoft Power Apps, rooted in CWE-427: Uncontrolled Search Path Element.

The flaw allows an unauthorized attacker to execute arbitrary code over a network when specific conditions are met, leveraging how Power Apps resolves external resources or binaries along a search path.

Critical Microsoft Power Apps RCE

Microsoft assigned this CVE a CVSS v3.1 base score of 8.0 (vector: AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N), indicating a network-exploitable bug with high complexity, no required privileges, and required user interaction, with high impact on confidentiality and integrity but no direct impact on availability.

The vulnerability changes the security scope (S:C), meaning that successful exploitation can breach isolation boundaries and affect additional components or tenants. At disclosure time, Microsoft reported no public exploit code and no evidence of in-the-wild exploitation, and categorized exploit code maturity as “Unproven.”

CWE-427 describes scenarios where software searches for resources such as DLLs, executables, or configuration files in a path that can be tampered with by an attacker. In the context of Power Apps, this means the platform could be tricked into loading or invoking code from an attacker-controlled location when handling certain external calls or protocol handlers.

Where path resolution is not tightly controlled, an adversary can:

Introduce a malicious binary earlier in the search path.
Manipulate environment variables or URL handlers.
Abuse protocol handlers or external integrations to pivot execution.

Similar issues have appeared in other Microsoft components and web app platforms, where path hijacking or unsafe protocol invocations enabled RCE or security feature bypass.

Attack Scenario and Preconditions

Although technical exploit details for CVE-2026-32172 are not public, its CVSS vector and weakness class provide a realistic attack narrative aligned with Microsoft’s scoring.

Key properties from the CVSS vector:

AV:N – Attack is performed over the network, e.g., via crafted links, embedded content, or web requests.
AC:H – Exploitation is non-trivial and likely requires specific environmental conditions or user behavior.
PR:N – The attacker does not need authenticated access to the target service.
UI:R – A victim user must act, such as clicking a malicious link, opening a shared Power App, or approving an external protocol prompt.
S:C, C:H, I:H – Successful exploitation can cross trust boundaries and result in high-impact compromise of data confidentiality and integrity.

A plausible scenario for defenders to model:

An attacker crafts a malicious Power Apps URL or embedded component that forces a call to an external resource resolved via a vulnerable search path.
A target user in a Microsoft 365 tenant interacts with the crafted app (e.g., via a shared application, embedded portal, or link in email or Teams).
Due to an uncontrolled search path, Power Apps loads or executes attacker-controlled code, leading to execution in the context of the service or its associated integration channel.
The attacker gains the ability to access or manipulate sensitive data or pivot to other cloud resources, even though they lacked initial privileges.

This pattern aligns with other modern cloud and web RCE chains where a single malicious click or interaction with an embedded app is enough to drive arbitrary code execution in a backend or connected service.

Impact on Enterprises and Cloud Tenants

For organizations heavily invested in Power Apps and low-code workflows across Microsoft 365, this vulnerability is strategically significant even though it has been mitigated at the service level.

Potential business impacts if exploitable:

Exposure of sensitive application data stored or processed inside Power Apps, including customer records, forms, and workflow data.
Tampering with business logic or workflows, resulting in unauthorized transactions, data manipulation, or misrouted approvals.
Cross-tenant or cross-service impacts if attackers can abuse connectors or identity relationships between Power Apps, Microsoft 365 services, or external APIs.

However, Microsoft has explicitly noted that the vulnerability has already been fully mitigated on their side, and that customers require no configuration changes or patch deployment.

This aligns with the emerging pattern of “cloud service CVEs,” in which the provider is solely responsible for remediation and publishes CVEs primarily to increase transparency about platform-level risk.

Response and Mitigation

Microsoft is listed as the assigning CNA (CVE Numbering Authority) and published the initial advisory and CVE record on April 23, 2026. The advisory clearly states:

“Customer action required: Not Required” remediation is handled entirely by Microsoft in the Power Apps backend.
An official fix has been deployed, and the vulnerability is fully mitigated at the service level, as reflected in the CVSS temporal metrics, which show an “Official Fix” remediation level.
The CVE exists to provide transparency for cloud service security issues and is part of Microsoft’s broader initiative to document cloud-only vulnerabilities under dedicated CVEs.

This issue appears among many high-severity Microsoft bugs disclosed in April 2026, though it stands out by affecting the Power Apps low-code platform rather than traditional desktop or server components.

Even though no direct patching is required, security and governance teams should treat CVE-2026-32172 as an important signal about their cloud application threat model.

Practical steps:

Asset inventory: Ensure you maintain an up-to-date inventory of all Power Apps used across departments, including portals and embedded applications in SharePoint or Teams.
Access and data review: Validate that sensitive workflows in Power Apps follow least-privilege principles, and that connectors to external systems are tightly scoped.
User awareness: Reinforce training about malicious links and untrusted apps, as this and similar CVEs still depend on user interaction for exploitation.
Monitoring and logging: Centralize Power Apps and Microsoft 365 audit logs and alert on unusual app sharing, connector changes, or anomalous access patterns.
Cloud CVE tracking: Incorporate cloud-service CVEs, such as CVE-2026-32172, into your vulnerability management process, even when they require “no action,” to ensure risk registers and compliance reports remain accurate.

For organizations subject to regulatory requirements, referencing this CVE in risk assessments and security documentation demonstrates ongoing monitoring of cloud platform vulnerabilities and mitigations.