HIGH 7.1

CVE-2026-45649: Office for Android Access Control Flaw Enables Document Spoofing

A flaw in Microsoft Office apps on Android devices allows someone with local access to spoof or impersonate document content without requiring special permissions or user interaction beyond launching the app. An attacker with physical or logical access to the device could manipulate what appears in Word, Excel, or PowerPoint documents, potentially tricking the device owner or others into trusting falsified information. The vulnerability affects the access control layer that should prevent unauthorized modification of displayed document content.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.1 HIGH · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Weaknesses (CWE)
CWE-284
Affected products
3 configuration(s)
Published / Modified
2026-06-09 / 2026-06-19

NVD description (verbatim)

Improper access control in Office for Android allows an unauthorized attacker to perform spoofing locally.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-45649 is an improper access control vulnerability (CWE-284) in Microsoft Office for Android that enables local spoofing attacks. The flaw resides in the presentation layer logic that governs access to document rendering and display properties across Word, Excel, and PowerPoint. With no privilege requirement and only user interaction needed to launch the application, an attacker can bypass intended restrictions and inject or alter document content as viewed on screen. The CVSS 3.1 score of 7.1 (HIGH) reflects high impact to confidentiality and integrity, constrained by the local attack vector and requirement for user awareness to open the application.

Business impact

Document integrity and authenticity are cornerstones of enterprise workflows. This vulnerability enables an attacker to alter what employees see in critical business documents—spreadsheets with financial data, presentations for stakeholder meetings, or contracts—without requiring administrative privileges. The spoofed content could lead to incorrect business decisions, compromised negotiations, or misplaced trust in falsified information. For organizations with shared or BYOD Android devices, the risk extends to data exfiltration or social engineering if attackers can present forged communications or financial reports.

Affected systems

Microsoft Office for Android is affected, specifically Excel, PowerPoint, and Word. The vulnerability applies to all versions until a patch is released by Microsoft. Organizations should prioritize inventory of Android-based Office deployments, including personal devices with corporate access and shared devices in bring-your-own-device programs. The local-only attack vector means devices must be accessible to the attacker—either physically or through prior compromise—limiting but not eliminating risk in managed environments.

Exploitability

Exploitation requires local access to an Android device running one of the affected Office apps. No network connectivity, remote code execution, or elevated privileges are needed. The attacker must persuade or manipulate a user to open the app, after which the access control weakness can be triggered to spoof document content. While this is not trivial—it demands physical or logical proximity—it is straightforward to execute once access is obtained, and the barrier to user interaction is minimal. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog, but the low technical barrier suggests active exploitation is plausible if the flaw becomes widely known.

Remediation

Microsoft has not yet released a patch version. Organizations should monitor Microsoft's security advisories and the Office for Android release notes for a fix targeting this improper access control. Until patching is available, consider mitigating controls: restrict Office for Android on shared or high-risk devices, enforce device enrollment and compliance policies on BYOD hardware, educate users on verifying document authenticity through alternative channels, and implement mobile device management (MDM) rules to disable Office on unmanaged devices. For high-sensitivity workflows, prioritize desktop Office clients until Android vulnerability is resolved.

Patch guidance

Verify the latest Microsoft Office for Android release through the Google Play Store or your MDM console for patches addressing CVE-2026-45649. Check Microsoft Security Update Guide and official Office release notes for confirmation of the fixed version. Organizations using MDM should configure automatic updates for Office on managed devices and test patches in a pilot group before broad deployment. Given the local-only attack vector, patching can be staged; prioritize devices in higher-risk settings (shared workspaces, BYOD programs) first.

Detection guidance

On Android devices, monitor for unauthorized modifications to document appearance or content using Mobile Threat Defense (MTD) solutions that inspect Office app behavior. Ensure audit logging is enabled on MDM platforms to track Office app versions and update compliance. Look for suspicious access patterns: repeated opening and closing of sensitive documents without legitimate business context, or reports from users that documents appear altered. Network-level detection is limited due to the local nature of the attack, but behavioral analysis of Office app crashes or unexpected permission requests may surface exploitation attempts.

Why prioritize this

Although the attack requires local access, the combination of high integrity impact, ease of exploitation, and reliance on common Office applications warrant prioritization. Organizations with BYOD policies or shared Android devices face elevated risk. The vulnerability affects three widely-used Office products and could enable supply-chain social engineering if attackers spoof business communications. Patching should be prioritized for any environment where Android Office devices access or display sensitive business documents.

Risk score, explained

The CVSS 3.1 score of 7.1 reflects high confidentiality and integrity impact balanced against the local attack vector (AV:L) and requirement for user interaction (UI:R). No privilege escalation is needed (PR:N), and the impact is not user-scoped but affects the entire system (S:U). The lack of availability impact (A:N) prevents a critical rating, but the ability to freely modify how documents are presented to the user justifies the HIGH severity designation.

Frequently asked questions

Can this vulnerability be exploited remotely?

No. CVE-2026-45649 requires local access to the Android device. An attacker must be physically present or have already compromised the device through another means. Remote exploitation is not possible with this vulnerability alone.

If I keep my Android Office apps up to date, am I protected?

Not yet. As of the last update, Microsoft has not released a patch for this flaw. Once Microsoft releases a fix, ensuring timely installation will be critical. Until then, mitigation relies on device access controls and user vigilance.

Does this vulnerability steal data, or just display it incorrectly?

The vulnerability enables spoofing and tampering with how documents are presented on screen. It can alter what a user sees, leading to misinformed decisions. Data exfiltration is not a direct consequence, but the ability to forge documents could facilitate social engineering or fraud.

Which is safer: Office for Android or desktop Office?

Desktop Office on Windows or macOS does not appear to be affected by this specific improper access control flaw. If handling highly sensitive documents on Android is not essential, desktop clients offer a lower-risk alternative until patches are available.

This analysis is based on vulnerability data current as of June 2026 and vendor advisories available at that time. Patch availability, affected versions, and mitigations may change; verify against the latest Microsoft Security Update Guide and Office for Android release notes before implementing remediation. This explainer does not constitute professional security advice; consult your security team and vendor documentation for your specific environment. No exploit code or weaponized proof-of-concept details are provided in this intelligence. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).