PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-32185 Microsoft CVE debrief

A medium-severity spoofing vulnerability in Microsoft Teams for Android stems from files or directories being accessible to external parties (CWE-552). The vulnerability allows an unauthorized attacker to perform spoofing attacks locally. The attack requires local access (AV:L), low attack complexity (AC:L), no privileges (PR:N), and user interaction (UI:R), with high impact to confidentiality (C:H) but no integrity or availability impact. Microsoft has addressed this in Teams for Android version 1.0.0.2026092103 and later. The vulnerability was published on May 12, 2026, with the NVD entry last modified on May 18, 2026.

Vendor
Microsoft
Product
Microsoft Teams for Android
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-12
Original CVE updated
2026-05-18
Advisory published
2026-05-12
Advisory updated
2026-05-18

Who should care

Organizations deploying Microsoft Teams on Android devices, mobile device management (MDM) administrators, and security teams responsible for endpoint protection on corporate mobile devices.

Technical summary

The vulnerability exists in Microsoft Teams for Android where files or directories are accessible to external parties, enabling local spoofing attacks. The flaw (CWE-552) allows an attacker with local access to exploit insufficient file permission controls. Successful exploitation requires user interaction but no privileges, resulting in high confidentiality impact. Microsoft has released version 1.0.0.2026092103 to remediate this issue.

Defensive priority

medium

Recommended defensive actions

  • Update Microsoft Teams for Android to version 1.0.0.2026092103 or later.
  • Review application file permissions and storage access patterns on Android endpoints.
  • Monitor for anomalous local file access attempts in Teams application directories.
  • Apply principle of least privilege for file system access in mobile application deployments.

Evidence notes

CWE-552 (Files or Directories Accessible to External Parties) identified as the primary weakness. CVSS 3.1 vector: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. Affected product: Microsoft Teams for Android, with fix version 1.0.0.2026092103.

Official resources

2026-05-12