Microsoft has disclosed a security vulnerability in Microsoft Teams for Android that could allow local attackers to perform device spoofing attacks, deceiving users into trusting malicious content or communications. The flaw, tracked as CVE-2026-32185, was disclosed on May 12, 2026, as part of Microsoft’s coordinated May 2026 Patch Tuesday release, and a fix is already available via the Google Play Store.
Vulnerability Details
CVE-2026-32185 stems from a misconfiguration in how Microsoft Teams for Android handles file and directory access. Specifically, files or directories within the application are accessible to external parties — a flaw that allows an unauthorized local attacker to manipulate or impersonate trusted elements within the app.
By exploiting this access weakness, an attacker operating on the same device or in a shared local environment can conduct a spoofing attack: tricking victims into believing that malicious content or communications originate from a legitimate, trusted source within Teams. The practical impact includes the potential for:
- Impersonation of trusted contacts or organizational channels within Teams
- Delivery of malicious files or links that appear to come from verified internal sources
- Manipulation of displayed content to deceive users in high-security environments
CVSS Score and Severity
The vulnerability carries a CVSS 3.1 base score of 5.5, with an adjusted environmental score of 4.8, and has been rated Important in severity by Microsoft. Key characteristics include:
- Attack vector: Local (requires physical or logical access to the device)
- Privileges required: None — no special account or elevation is needed
- User interaction: Required — the victim must perform some action for the attack to succeed
- Confidentiality impact: High — sensitive data or communications could be exposed or manipulated
- Exploitability assessment: “Exploitation Less Likely” per Microsoft’s own assessment
While the local attack vector limits the scope of exploitation compared to a remotely exploitable flaw, the absence of any privilege requirement lowers the barrier for a motivated attacker operating in a shared, compromised, or corporate-managed device environment.
Affected Product and Patch
The vulnerability specifically affects Microsoft Teams for Android. The patched build number is 1.0.0.2026092103, and the update is available through the Google Play Store. As of publication, the vulnerability has not been publicly exploited in the wild, and no proof-of-concept exploit code has been confirmed publicly.
Users and administrators are strongly encouraged to update Microsoft Teams for Android to the latest build immediately. In enterprise environments where Teams is centrally managed, mobile device management (MDM) platforms should be used to push the update to all enrolled devices.
Enterprise Implications
Microsoft Teams has become a critical communication and collaboration platform for enterprises worldwide, particularly following the widespread adoption of remote and hybrid work. Its use for sensitive business communications — including discussions of financial matters, strategic plans, and confidential projects — makes spoofing vulnerabilities particularly concerning.
In regulated industries such as financial services, healthcare, and government, where Teams is often used for compliance-sensitive communications, the potential for message or content spoofing carries significant legal and regulatory implications. Even a vulnerability rated “Exploitation Less Likely” can be weaponized by sophisticated attackers who target specific high-value individuals rather than conducting broad mass-exploitation campaigns.
Organizations should also consider whether this vulnerability could be chained with other local access techniques — such as malicious apps with shared storage access — to reduce the need for direct user interaction.
Responsible Disclosure
Security researcher Ofek Levin from Enclave is credited with responsibly disclosing CVE-2026-32185 to Microsoft through coordinated disclosure. The patch was made available the same day as the public advisory as part of Microsoft’s May 2026 Patch Tuesday, which addressed 120 vulnerabilities in total across Microsoft’s product portfolio.
Recommended Actions
Security teams should take the following steps in response to CVE-2026-32185:
- Update Microsoft Teams for Android to build 1.0.0.2026092103 or later via the Google Play Store
- Use MDM solutions to enforce the update across all corporate-managed Android devices
- Audit Android device policies to ensure Teams data directories are not accessible to other installed applications
- Remind end users to verify the source of unexpected file transfers or unusual messages received via Teams, particularly on mobile devices
- Consider prioritizing this patch on mobile endpoints used in high-security or regulated environments
While the immediate exploitation risk appears limited, patching should not be deferred. Vulnerabilities with no privilege requirements and high confidentiality impact warrant prompt remediation regardless of current exploitation likelihood.