Microsoft patches critical flaw letting attackers bypass Power Apps security warnings
Microsoft has addressed a critical vulnerability in Power Apps as part of its April 2026 security update. The flaw is tracked as CVE-2026-26149 and carries a severity score of 9.0 out of 10. The vulnerability allows attackers to bypass the standard security warning dialogs built into the platform. By tricking a user into interacting with a malicious element within an app, attackers can force external protocol calls that execute unintended actions directly on the user device. Microsoft reports no active exploitation in the wild. However, the patch requires direct intervention from app creators, as deployed canvas apps must be republished to inherit the new security mitigations.
Creators usually treat internal canvas apps as inherently safe sandboxes. Because these tools sit behind corporate Microsoft 365 logins and typically just read and write to SharePoint lists, security feels like an IT department responsibility. The platform built-in warning prompts have always acted as a reliable safety net against accidental clicks. This vulnerability shatters the illusion that low-code means low-risk. A bypassed security prompt turns a simple expense tracker or inventory gallery into a delivery mechanism for device-level exploits. It shifts the burden back to the app creator, proving that maintaining a Power App requires active lifecycle management rather than just building a tool once and walking away.
Analysis
IT departments use security scares exactly like this to lock down citizen development and revoke builder permissions. Protect your right to build by opening the Power Apps studio today, loading every active canvas app your team relies on, and hitting republish to force the patched platform version onto your users.
Pulse published by Collab365 Spaces. Cite as "Microsoft patches critical flaw letting attackers bypass Power Apps security warnings", Collab365 Spaces.