CVE-2026-20960: What Microsoft Power Apps Admins Need to Do Now

The phrase "low-code" is often equated with "low-risk," but the recent discovery of CVE-2026-20960 proves otherwise. Microsoft has released a security update for this vulnerability in Power Apps, which allows an authorized attacker to execute code over the network if certain conditions are met.

If you build or administer solutions on the Power Platform, this is not a “read later” item. It directly affects the safety of your environments and your data.

What is CVE-2026-20960?

CVE-2026-20960 is a vulnerability in Microsoft Power Apps described as “improper authorization,” which can lead to Remote Code Execution (RCE) by an attacker who already has some level of access.

In other words, this isn't about an anonymous hacker on the internet; it’s about what a malicious (or compromised) account could do inside your tenant if you haven't applied the necessary patches.

Key Technical Details:

• CVSS 3.1 Score: 8.0 (High Severity)
• Vector: AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
• Affected Versions: Microsoft Power Apps versions prior to 3.25121.
• Weakness: CWE-285 (Improper Authorization).
• Impact: High impact on data confidentiality, integrity, and service availability.

Why This Matters for Power Platform Teams

On paper, “authorized attacker” and “user interaction required” can sound reassuring. In reality, this aligns perfectly with modern attack patterns like phishing, consent phishing, and compromised credentials.

For Power Platform and Dynamics 365 teams, the stakes are high:

1. Proximity to Data: Power Apps often sit directly on top of business-critical data (Dataverse, SQL, custom APIs).
2. Viral Patterns: Makers often reuse components and templates. A single vulnerable pattern can propagate across your entire environment.
3. Ownership Gaps: Security responsibilities can get blurred between infra teams and low-code makers, leading to "patching paralysis."

Note: While there is no public proof-of-concept exploit for CVE-2026-20960 at the time of writing, and no evidence of active exploitation, the fact that a patch is already available means defenders have no excuse to wait.

Your "Action Today" Checklist

Here is a practical checklist you can use with your security and admin teams. The most critical takeaway is that patching the environment is not enough; you must also address legacy apps in production.

1. The "Re-Publish" Sprint

While Microsoft has secured the latest version of Power Apps Studio, apps published with older versions of the editor may still be at risk.

• The Cutoff Date: Any app published prior to January 1, 2026, is potentially vulnerable.
• Action: Manually re-publish all applications that were last updated before this date using Power Apps Studio version 3.25121 or higher.
• Verify: Check your version history in the maker portal to confirm the latest publish date and the Studio version used.

2. Confirm Patch Status

• Update Mobile: Ensure all users have "Automatic Updates" enabled for the Power Apps mobile player on their devices.
• Identify Mappings: Use the Microsoft Security Update Guide to map affected tenants and identify specific Knowledge Base (KB) updates required for your region.
• Audit remediation: Check your vulnerability management dashboards (Defender for Cloud, Tenable, etc.) to ensure this CVE is being tracked.

3. Revisit Least Privilege

Since this vulnerability involves improper authorization, tightening access is your best defense.

• Review Role Assignments: Audit the Power Platform Admin Center (PPAC) and Entra ID for over-privileged makers.
• Harden App Manifests: Review and remove any unnecessary wildcard entries in validDomains.
• Separate Duties: Avoid using the same accounts for development, deployment, and production administration.

4. Strengthen Identity and Monitoring

Exploitation requires an authorized user. If you control the identity, you control the risk.

• Enforce MFA: This is non-negotiable for all privileged roles.
• Harden Teams Integration: If using Power Apps in Teams, restrict isFullTrust in manifests to only those apps that strictly require it.
• Behavioral Hunting: Monitor for unusual outbound connections from Power Platform backends or anomalous token exchanges in your SIEM/audit logs.

5. Partner with Your Makers and Citizen Developers

Securing the platform is a joint effort. Many Power Apps are created by citizen developers who don't follow security advisories day-to-day.

• Internal Update: Share a "plain language" update explaining the importance of the re-publishing sprint.
• Best Practices: Remind makers to avoid using personal accounts for app connections and to use official environment connectors.
• Encourage Reporting: Make sure they know how to flag suspicious behavior or unexpected prompts within their apps.

The Big Picture: Low-Code Security Posture

CVE-2026-20960 is a reminder that complex, highly-integrated platforms periodically reveal new pivot points for attackers. Instead of treating this as a one-off fire drill, use it as a catalyst to:

• Formalize how Power Platform fits into your Vulnerability Management process.
• Align environments with secure configuration baselines (DLP, logging, identity).
• Governance Tools: Regularly review new CVEs affecting cloud services. Using tools like the Power Platform Center of Excellence (CoE) Starter Kit can help you maintain the visibility needed for proactive governance.

Closing Thoughts

Microsoft has shipped the fixes. Now it’s our turn to verify and secure. If you are responsible for Power Apps or Dynamics 365, do not wait for a breach to find out your legacy apps were exposed. Start your re-publishing sprint today and bring your makers into the security conversation.

What is your team's process for handling cloud-service CVEs? Let’s discuss in the comments or over on LinkedIn.