PatchSiren cyber security CVE debrief
CVE-2026-40374 Microsoft CVE debrief
A medium-severity information disclosure vulnerability in Microsoft Power Automate for Desktop allows an authenticated attacker to expose sensitive data over a network. The vulnerability, published by NVD on May 12, 2026 and last modified on May 19, 2026, stems from improper exposure of sensitive information to unauthorized actors (CWE-200). Affected versions are those prior to 2.67. Microsoft has released a vendor advisory with remediation guidance. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) indicates network-based attack vector with low attack complexity, requiring low privileges but no user interaction, resulting in high confidentiality impact with no integrity or availability impact. No known exploitation in the wild or ransomware campaign use has been documented, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- Microsoft
- Product
- Power Automate for Desktop
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-19
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-19
Who should care
Organizations using Microsoft Power Automate for Desktop for business process automation, particularly those handling sensitive data in automated workflows. Security teams responsible for Microsoft 365 and Power Platform governance should prioritize patching. Compliance officers in regulated industries should assess potential data exposure risks from unpatched installations.
Technical summary
The vulnerability exists in Microsoft Power Automate for Desktop versions prior to 2.67. An authenticated attacker with low privileges can exploit this flaw over a network to disclose sensitive information. The root cause is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The attack requires no user interaction and has low complexity, making it relatively straightforward to exploit once authenticated access is obtained. The confidentiality impact is rated high, though integrity and availability are unaffected.
Defensive priority
medium
Recommended defensive actions
- Update Microsoft Power Automate for Desktop to version 2.67 or later to remediate this information disclosure vulnerability
- Review network segmentation and access controls for Power Automate deployments to limit exposure of sensitive workflow data
- Monitor Microsoft Security Response Center advisories for additional guidance or defense-in-depth recommendations
- Assess Power Automate flows for sensitive data handling and implement least-privilege access principles for automation accounts
Evidence notes
Vendor advisory confirms affected product and fixed version. NVD analysis provides CVSS scoring and CPE criteria. No KEV entry or exploitation reports identified.
Official resources
-
CVE-2026-40374 CVE record
CVE.org
-
CVE-2026-40374 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
Microsoft disclosed this vulnerability through their Security Response Center. The issue was analyzed and published in the NVD on May 12, 2026, with a metadata update on May 19, 2026.