Microsoft Teams Android Vulnerability Exposes Sensitive Data

Microsoft has disclosed a significant security vulnerability in Microsoft Teams for Android. Tracked as CVE-2026-42835, the flaw could enable an authenticated attacker to expose sensitive information over a network. Details were officially released on June 9, 2026, with the vulnerability rated as Important in severity.

The vulnerability stems from improper neutralization of special elements in output used by a downstream component, classified under CWE-74 (Injection).

According to Microsoft’s advisory, the weakness enables an authorized attacker to disclose information remotely, without requiring any user interaction.

The flaw carries a CVSS 3.1 base score of 8.1 (temporal score: 7.1), reflecting its considerable risk. The attack vector is Network (AV:N), confirming the vulnerability is remotely exploitable over the internet.

With an attack complexity of Low (AC:L), an attacker does not need advanced knowledge of the target system and can achieve repeatable exploitation success with a crafted payload against the vulnerable component.

Microsoft confirmed that a successful exploit could allow an attacker to read small portions of heap memory. While the scope of exposed data may appear limited, heap memory can contain sensitive runtime information, including authentication tokens, session data, or cached credentials, making even partial disclosure a serious concern in enterprise environments.

The CVSS metrics indicate a high impact on both Confidentiality and Availability, with no integrity impact. The Privileges Required metric is rated Low, meaning any authenticated user, including low-privileged accounts, could potentially trigger the vulnerability.

Microsoft’s exploitability assessment classifies this vulnerability as Exploitation Less Likely. The flaw has not been publicly disclosed and has not been observed in active exploitation at the time of publication. Exploit code maturity is listed as Unproven, and an official fix is already available.

Microsoft has released a security update for Microsoft Teams for Android, available through the Google Play Store. Users and enterprise administrators are strongly advised to update the application immediately via the official Microsoft Teams listing on Google Play.

Organizations relying on Teams for internal communications should prioritize this update, especially given the app’s widespread use in handling sensitive business conversations and file sharing.

The vulnerability was responsibly disclosed by Ofek Levin of Enclave through Microsoft’s coordinated vulnerability disclosure program.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.