CVE-2026-20960 — Vulnetix

CVE-2026-20960 PUBLISHED CVSS 8 HIGH

Improper authorization in Microsoft Power Apps allows an authorized attacker to execute code over a network.

EPSS 0.07% · 22.4th percentile

Risk Scores

CVSS v3.1

8

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

EPSS Score

0.07%

22.4th percentile

Affected Products

Vendor	Product	Versions
microsoft	power_apps	0
microsoft	power_apps_desktop_client	1.0.0
Microsoft	Microsoft Power Apps Desktop Client	1.0.0
Microsoft	N/A

Timeline

Jan 13, 2026 CVE Published
Jan 16, 2026 PoC Published
Jan 16, 2026 PoC Published
Jan 17, 2026 EPSS Score
Jan 17, 2026 PoC Published
Jan 19, 2026 PoC Published
Jan 20, 2026 EPSS Score
Jan 23, 2026 EPSS Score
Jan 25, 2026 EPSS Score
Jan 28, 2026 EPSS Score
Jan 29, 2026 CVE Updated
Jan 31, 2026 EPSS Score

References

PowerApps Desktop Client Remote Code Execution Vulnerability vendor-advisory
https://nvd.nist.gov/vuln/detail/CVE-2026-20960 advisory

Open in Interactive Console →

$ Console Community · 100/wk Open console ›