Cyber Resilience

CVE-2026-20960

High

Published: 16 January 2026

Published
16 January 2026
Modified
12 February 2026
KEV Added
Patch
CVSS Score v3.1 8.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0007 22.4th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-20960 is a high-severity Improper Authorization (CWE-285) vulnerability in Microsoft Power Apps. Its CVSS base score is 8.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-20960 is an improper authorization vulnerability affecting Microsoft Power Apps, published on 2026-01-16. It stems from issues mapped to CWE-285 (Improper Authorization) and CWE-863 (Incorrect Authorization), enabling an authorized attacker to execute code over a network. The vulnerability carries a CVSS v3.1 base score of 8.0 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).

Exploitation requires low privileges (PR:L) and occurs over the network (AV:N) with low attack complexity (AC:L), though it demands user interaction (UI:R). Successful attacks result in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H) without changing scope (S:U), allowing the attacker to execute arbitrary code.

Microsoft's Security Response Center provides an update guide with mitigation details at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20960.

EU & UK References

Vulnerability details

Improper authorization in Microsoft Power Apps allows an authorized attacker to execute code over a network.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Improper authorization in network-accessible Power Apps directly enables remote arbitrary code execution (T1190) via command/script interpreters (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-32172Same product: Microsoft Power Apps
CVE-2026-26149Same product: Microsoft Power Apps
CVE-2026-33105Same vendor: Microsoft
CVE-2025-21348Same vendor: Microsoft
CVE-2025-59272Same vendor: Microsoft
CVE-2025-49701Same vendor: Microsoft
CVE-2025-21410Same vendor: Microsoft
CVE-2025-59286Same vendor: Microsoft
CVE-2025-59252Same vendor: Microsoft
CVE-2026-42898Same vendor: Microsoft

Affected Assets

microsoft
power apps
≤ 3.25121

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces approved authorizations for access to system resources, mitigating improper authorization (CWE-285/863) that allows low-privilege attackers to execute arbitrary code in Power Apps.

prevent

Applies least privilege to restrict low-privilege (PR:L) users from performing unauthorized actions like code execution despite flawed authorization checks.

prevent

Ensures timely identification, reporting, and patching of the specific Power Apps authorization flaw as detailed in Microsoft's update guide, preventing network-based exploitation.

References