Introduction
An uncontrolled search path vulnerability in Microsoft Power Apps scored a CVSS 8.0 and carried the potential for unauthenticated remote code execution with a scope change, meaning exploitation could have reached beyond the Power Apps component itself. The good news: Microsoft remediated this entirely on the server side before public disclosure, and no customer action is required.
This CVE is worth understanding not because of an active threat, but because of what it reveals about cloud service vulnerability management and the nuances of CWE-427 in a hosted environment.
Technical Information
Root Cause: CWE-427 Uncontrolled Search Path Element
CVE-2026-32172 is rooted in CWE-427, Uncontrolled Search Path Element. This class of vulnerability occurs when an application resolves a resource (such as a library, executable, or configuration file) through a search path that an attacker can influence. In a typical on premises scenario, this might involve DLL hijacking or PATH manipulation. In the context of a cloud hosted service like Power Apps, the underlying mechanics are the same: the service resolved a resource via a path that could be manipulated by an external party, opening a vector for code execution.
Microsoft has not published specific technical exploit chains or affected version numbers, which is consistent with their handling of cloud service CVEs where the infrastructure is entirely vendor managed.
CVSS Vector Breakdown
The full CVSS 3.1 vector provides useful context about the nature of this flaw:
| Metric | Value | Interpretation |
|---|---|---|
| Attack Vector | Network (AV:N) | Exploitable remotely over a network |
| Attack Complexity | High (AC:H) | Requires specific conditions or significant attacker effort |
| Privileges Required | None (PR:N) | No prior authentication needed |
| User Interaction | Required (UI:R) | A user must interact with a malicious element |
| Scope | Changed (S:C) | Impact extends beyond the vulnerable component |
| Confidentiality | High (C:H) | Total loss of confidentiality for affected data |
| Integrity | High (I:H) | Total loss of integrity for affected data |
| Availability | None (A:N) | No impact on service availability |
The combination of no privileges required with a scope change is what drives the score to 8.0 despite the high attack complexity and user interaction requirement. The scope change (S:C) is particularly significant: it indicates that a successful exploit against the Power Apps component could compromise resources in a different security authority, such as data or services outside the immediate Power Apps boundary.
The absence of availability impact (A:N) combined with high confidentiality and integrity impact suggests this was a data exfiltration and manipulation vector rather than a denial of service path.
Attack Flow
Based on the CVSS metrics and CWE classification, the general attack flow would have proceeded as follows:
- An unauthorized attacker, requiring no prior authentication (PR:N), crafts a malicious payload that exploits the uncontrolled search path in the Power Apps service.
- The attack is delivered over the network (AV:N), but requires specific conditions to succeed (AC:H).
- A user must interact with a malicious element to trigger the exploit (UI:R), suggesting the attack likely involved social engineering or a crafted Power Apps artifact.
- Upon successful exploitation, the attacker achieves code execution that crosses a security boundary (S:C), compromising both confidentiality and integrity of data.
Microsoft fixed this by correcting how the Power Apps service resolves resource paths on the server side, eliminating the manipulable search path that served as the attack vector.
April 2026 Power Apps Context
This was not the only high severity Power Apps vulnerability addressed in April 2026. Microsoft also patched CVE-2026-26149, a CVSS 9.0 flaw involving Improper Neutralization of Escape, Meta, or Control Sequences. The presence of multiple critical findings in the same release cycle for Power Apps suggests the platform underwent significant security review during this period. Organizations heavily reliant on Power Apps should review their data sharing and tenant boundary policies, especially given the scope change metrics associated with these flaws.
Patch Information
CVE-2026-32172 affects Microsoft Power Apps, a cloud hosted service, and the fix was applied entirely on Microsoft's side. There is no downloadable patch, KB article, or build number for end users to install.
According to the MSRC advisory published on April 23, 2026, the vulnerability "has already been fully mitigated by Microsoft" and explicitly states that "there is no action for users of this service to take."
The Security Updates table on the MSRC page confirms this by listing no associated article, download link, or build number; all fields are marked as empty. The Customer Action Required field is set to Not Required.
By fixing how the Power Apps service resolves resource paths on the server side, Microsoft eliminated the vector that would have allowed an unauthorized attacker to achieve remote code execution over a network. The Remediation Level in the CVSS temporal metrics is set to Official Fix, confirming the patch is complete and final. The CVE.org record also tags the MSRC advisory reference as both vendor-advisory and patch, further corroborating that the fix is in place.
Microsoft published this CVE under its "Toward greater transparency: Unveiling Cloud Service CVEs" initiative (referenced at https://aka.ms/MSRC-Cloud-CVEs), which is their practice of disclosing vulnerabilities in cloud services even when customers do not need to take action.
In summary, no manual patching steps are required. The fix was a server side remediation applied by Microsoft to the Power Apps cloud platform prior to public disclosure.
Affected Systems and Versions
Microsoft Power Apps is the affected product. Because Power Apps is an exclusively hosted cloud service, Microsoft has not provided a list of affected product versions, specific build numbers, or vulnerable configurations. The vulnerability existed within Microsoft's cloud infrastructure and was remediated server side before public disclosure. All Power Apps customers are already protected.
Vendor Security History
In the April 2026 update cycle alone, Microsoft released security updates addressing 165 different CVEs across its product ecosystem. Within Power Apps specifically, at least two high severity vulnerabilities were addressed:
| CVE Identifier | CVSS Score | Vulnerability Type | Exploitability Status |
|---|---|---|---|
| CVE-2026-26149 | 9.0 | Improper Neutralization of Escape, Meta, or Control Sequences | Exploitation Less Likely |
| CVE-2026-32172 | 8.0 | Uncontrolled Search Path Element | Unproven Exploit Maturity |
The clustering of multiple high severity findings in Power Apps during a single release cycle indicates that the platform was subject to focused security research and review. Microsoft's decision to publish these CVEs under their cloud transparency initiative, even when no customer action is needed, reflects an evolving approach to cloud service vulnerability disclosure.
The vulnerability was discovered and reported by Hritik Sateesh, an Application Security Researcher with Stantec.
