Microsoft has disclosed a big safety vulnerability in Microsoft Groups for Android that might enable an authenticated attacker to show delicate info over a community. The flaw, tracked as CVE-2026-42835, was formally launched on June 9, 2026, and has been rated Necessary in severity.
The vulnerability stems from improper neutralization of particular components in output utilized by a downstream element, categorized beneath CWE-74 (Injection).
In keeping with Microsoft’s advisory, the weak point allows a certified attacker to reveal info remotely, with out requiring any person interplay.
The flaw carries a CVSS 3.1 base rating of 8.1 (temporal rating: 7.1), reflecting its appreciable danger. The assault vector is Community (AV:N), confirming the vulnerability is remotely exploitable over the web.
With an assault complexity of Low (AC:L), an attacker doesn’t want superior information of the goal system and might obtain repeatable exploitation success with a crafted payload towards the susceptible element.
Microsoft confirmed {that a} profitable exploit may enable an attacker to learn small parts of heap reminiscence. Whereas the scope of uncovered information could seem restricted, heap reminiscence can comprise delicate runtime info, together with authentication tokens, session information, or cached credentials, making even partial disclosure a severe concern in enterprise environments.
The CVSS metrics point out a excessive influence on each Confidentiality and Availability, with no integrity influence. The Privileges Required metric is rated Low, that means any authenticated person, together with low-privileged accounts, may doubtlessly set off the vulnerability.
Microsoft’s exploitability evaluation classifies this vulnerability as Exploitation Much less Seemingly. The flaw has not been publicly disclosed and has not been noticed in energetic exploitation on the time of publication. Exploit code maturity is listed as Unproven, and an official repair is already obtainable.
Microsoft has released a security update for Microsoft Groups for Android, obtainable by way of the Google Play Retailer. Customers and enterprise directors are strongly suggested to replace the appliance instantly by way of the official Microsoft Teams listing on Google Play.
Organizations counting on Groups for inner communications ought to prioritize this replace, particularly given the app’s widespread use in dealing with delicate enterprise conversations and file sharing.
The vulnerability was responsibly disclosed by Ofek Levin of Enclave by way of Microsoft’s coordinated vulnerability disclosure program.