CVE-2026-20949

HighLPE

Published: 13 January 2026

Published

13 January 2026

Modified

16 January 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0002 5.5th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-20949 is a high-severity Improper Access Control (CWE-284) vulnerability in Microsoft Office Long Term Servicing Channel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 5.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-3 (Malicious Code Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Timely identification, reporting, and correction of flaws via vendor patches directly remediates the improper access control vulnerability in Microsoft Office Excel.

SI-3 Malicious Code Protection good match

preventdetect

Malicious code protection scans and blocks specially crafted Excel files that exploit the access control bypass.

CM-6 Configuration Settings partial match

prevent

Secure configuration settings for Microsoft Office enforce protective features like Protected View, mitigating unauthorized bypass of security controls.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

Why these techniques?

Local bypass of Excel security feature via crafted file directly enables client-side exploitation and malicious file execution by the user.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper access control in Microsoft Office Excel allows an unauthorized attacker to bypass a security feature locally.

Deeper analysisAI

CVE-2026-20949 is an improper access control vulnerability in Microsoft Office Excel that allows an unauthorized attacker to bypass a security feature locally. Published on 2026-01-13T18:16:22.487, it carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and maps to CWE-284 (Improper Access Control).

The vulnerability can be exploited by a local attacker with no required privileges who tricks a user into interacting, such as opening a specially crafted Excel file. Successful exploitation bypasses the security feature, resulting in high impacts to confidentiality, integrity, and availability on the affected system.

Microsoft's Security Response Center provides an update guide with details on this vulnerability at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20949.

Details

CWE(s): CWE-284

Affected Products

microsoft

365 apps

all versions

microsoft

office long term servicing channel

2021, 2024

CVEs Like This One

CVE-2025-21363Same product: Microsoft 365 Apps

CVE-2026-20956Same product: Microsoft 365 Apps

CVE-2025-26629Same product: Microsoft 365 Apps

CVE-2025-21397Same product: Microsoft 365 Apps

CVE-2025-24077Same product: Microsoft 365 Apps

CVE-2025-21365Same product: Microsoft 365 Apps

CVE-2025-21364Same product: Microsoft 365 Apps

CVE-2026-20944Same product: Microsoft 365 Apps

CVE-2025-21356Same product: Microsoft 365 Apps

CVE-2025-21345Same product: Microsoft 365 Apps

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20949
Vendor Advisory · secure@microsoft.com