Microsoft Teams vulnerability CVE-2026-32185 could allow local attackers to spoof trusted elements in Teams for Android, Microsoft disclosed in its May 2026 Patch Tuesday update.
Microsoft rated the flaw Important. It carries a CVSS 3.1 base score of 5.5 and an adjusted environmental score of 4.8.
The vulnerability affects Microsoft Teams for Android. The patched build is 1.0.0.2026092103 and is available on the Google Play Store.
Microsoft said attackers do not need any privileges to exploit the flaw. However, exploitation requires user interaction and a local attack vector.
The issue stems from Teams files or directories being accessible to external parties. As a result, an unauthorised local attacker could conduct spoofing attacks.
Microsoft listed exploitation as “Less Likely.” The company said it had found no public disclosures or in-the-wild exploitation at the time of publication.
Read: Microsoft 365 Outage Hits Outlook and Teams, Users Report Major Disruptions
Microsoft said security researcher Ofek Levin of Enclave responsibly reported the issue.
Organisations using Teams in regulated or high-security environments should prioritise the Android update, especially on mobile devices used for business communication.
