CVE-2026-42902: Microsoft PowerToys Privilege Escalation Vulnerability (CVSS 7.8)
Microsoft PowerToys contains an authorization flaw that allows someone with local access and a valid account on a system to gain elevated privileges. An attacker who already has user-level credentials can exploit this design weakness to obtain higher-level permissions, potentially taking full control of the affected system. The vulnerability requires local access and legitimate user credentials to trigger, limiting exposure but creating a meaningful risk in shared or multi-tenant environments.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-285
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Improper authorization in Microsoft PowerToys allows an authorized attacker to elevate privileges locally.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-42902 is a privilege escalation vulnerability stemming from improper authorization controls (CWE-285) in Microsoft PowerToys. The flaw permits an authenticated local attacker to elevate privileges without requiring user interaction. The CVSS 3.1 score of 7.8 (HIGH) reflects the combination of local attack vector, low attack complexity, low privilege requirement, and the ability to compromise confidentiality, integrity, and availability. The vulnerability does not yet appear on CISA's Known Exploited Vulnerabilities catalog, indicating limited evidence of active exploitation at the time of publication.
Business impact
Privilege escalation vulnerabilities in widely-used administrative tools like PowerToys pose a lateral movement and persistence risk. An insider, compromised account, or attacker with initial low-privileged access can use this flaw to move toward system administration rights, enabling deployment of malware, data exfiltration, or system-wide compromise. Organizations using PowerToys in standardized deployments or shared lab environments face elevated risk, particularly in zero-trust architectures that depend on privilege boundaries.
Affected systems
Microsoft PowerToys is targeted by this vulnerability. The flaw affects systems on which PowerToys is installed and allows an authenticated local user to escalate privileges. The vulnerability requires an attacker to already possess valid local credentials, meaning exposure is primarily internal—staff accounts, shared systems, or compromised user sessions are the likely attack vectors.
Exploitability
Exploitation requires local access and pre-existing user-level credentials; it is not remotely exploitable. Attack complexity is low, meaning an attacker with the necessary baseline access can trigger privilege escalation without significant technical barriers or user interaction. The absence of a KEV listing suggests active exploitation has not yet been widely observed in the wild, though the low barriers to exploitation mean this status may change as awareness increases.
Remediation
Apply the security update from Microsoft addressing CVE-2026-42902. Verify against the official Microsoft advisory or security update page for the specific patch version and applicable PowerToys release lines. Organizations should prioritize patching systems where PowerToys is deployed in multi-user, shared-access, or elevated-trust contexts. Restrict PowerToys installation to systems where its functionality is genuinely required, and consider limiting installation to administrative users only.
Patch guidance
Consult the Microsoft security advisory and the PowerToys GitHub repository for available updates. Prioritize patching in environments where multiple user accounts access shared systems or where PowerToys is used in privileged contexts. Test patches in a non-production environment to confirm compatibility with organizational workflows. For large deployments, use group policy or mobile device management (MDM) solutions to enforce updates across the fleet.
Detection guidance
Monitor system logs for unexpected privilege escalation events, particularly those originating from PowerToys processes. Audit user account privilege changes, especially from standard to administrative rights. Endpoint detection and response (EDR) tools should flag suspicious process execution chains involving PowerToys components followed by privilege escalation API calls. Track PowerToys version numbers across deployed systems to identify unpatched instances.
Why prioritize this
This vulnerability warrants HIGH priority because it enables local privilege escalation with low attack complexity and minimal user interaction. Although it requires pre-existing credentials, the transition from user-level to system-level access significantly increases the impact of any prior compromise. In zero-trust and least-privilege architectures, closure of privilege escalation vectors is critical to maintaining security boundaries.
Risk score, explained
The CVSS 3.1 score of 7.8 reflects a local attack vector (AV:L), low attack complexity (AC:L), and a requirement for low-level privileges (PR:L). The impact is severe: an attacker gains high-level access to confidentiality, integrity, and availability of the affected system (C:H/I:H/A:H). The unchanged scope (S:U) means the attack does not cross security boundaries beyond the targeted system. This rating appropriately captures the privilege escalation risk in a local context while acknowledging the authentication prerequisite.
Frequently asked questions
Does this vulnerability affect me if I don't use Microsoft PowerToys?
No. This vulnerability is specific to Microsoft PowerToys. If your organization does not deploy PowerToys, you are not affected by this flaw. Verify your software inventory to confirm PowerToys is not installed on systems in your environment.
Can this vulnerability be exploited remotely?
No. The vulnerability requires local access and a valid user account on the target system. Remote exploitation is not possible. An attacker would first need to compromise a user account or gain physical/logical access to a system where PowerToys is installed.
What should I do if I discover an unpatched system with PowerToys?
Prioritize patching that system with the security update from Microsoft. In the interim, restrict administrative access to PowerToys and limit its installation to users who have a documented business need. Consider removing the software from systems where it is not actively required.
Is this vulnerability being actively exploited?
As of the publication date, this vulnerability has not been added to CISA's Known Exploited Vulnerabilities catalog, suggesting limited or no evidence of active exploitation. However, the low barrier to exploitation means proactive patching remains important to prevent future abuse.
This analysis is based on the vulnerability information and CVSS vector provided as of the publication date. Security advisories, patch availability, and exploitation status may evolve. Refer to Microsoft's official security advisories and the PowerToys GitHub repository for authoritative guidance on patching, affected versions, and remediation steps. SEC.co does not provide legal, compliance, or risk management advice; consult your organization's security and legal teams for guidance on vulnerability response and regulatory obligations. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-0072HIGHAndroid XR InputMethodManagerService Privilege Escalation (CVSS 7.8)
- CVE-2026-10236HIGHSourceCodester Water Billing System Improper Authorization Vulnerability (CVSS 7.3)
- CVE-2026-11462HIGHBeikeShop Stripe Plugin Authorization Bypass (HIGH)
- CVE-2026-47740HIGHShopper Admin Permission Bypass Enables Unauthorized Order Mutation and Payment Capture
- CVE-2026-10070MEDIUMmacrozheng mall Admin Authorization Bypass in /admin/update/
- CVE-2026-10154MEDIUMDolibarr ERP CRM Authorization Bypass in Messaging Module
- CVE-2026-10211MEDIUMAstrBot 4.23.6 Path Normalization Authorization Bypass
- CVE-2026-10212MEDIUMAstrBot 4.24.2 Authorization Bypass via Session ID Manipulation