CVE-2026-40374 Overview
CVE-2026-40374 is an information disclosure vulnerability in Microsoft Power Automate. The flaw exposes sensitive information to an unauthorized actor, allowing an authenticated attacker to disclose data over a network. The weakness is classified under [CWE-200] (Exposure of Sensitive Information to an Unauthorized Actor).
Microsoft Power Automate is a cloud-based workflow automation service used across enterprise environments to orchestrate business processes, integrate SaaS platforms, and move data between systems. Successful exploitation grants attackers access to confidential workflow data, connection credentials, or business logic stored within the platform.
Critical Impact
An authenticated attacker can read sensitive information from Power Automate over the network without requiring user interaction, impacting confidentiality of automated workflows and integrated data sources.
Affected Products
- Microsoft Power Automate (cloud service)
- Power Automate workflows accessible over the network
- Tenants exposing Power Automate connectors and flows
Discovery Timeline
- 2026-05-12 - CVE-2026-40374 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-40374
Vulnerability Analysis
The vulnerability stems from improper protection of sensitive information within Microsoft Power Automate. An authorized attacker with low privileges can issue network requests that return data the requester should not be permitted to read. The CWE-200 classification confirms the root issue is exposure of information to an unauthorized actor rather than a memory safety or code execution defect.
Exploitation requires that the attacker hold valid credentials within the Power Automate environment. The attack does not require user interaction and can be triggered remotely over the network. Confidentiality is the only impacted security property; integrity and availability remain unaffected by this issue.
Environments using Power Automate often store connection references, API tokens, and business records inside flows. Disclosure of this data can enable downstream attacks against connected SaaS platforms and on-premises gateways. The exposed information may also include parameters passed between cloud connectors, run history, or workflow execution details.
Root Cause
The root cause is insufficient access control or output filtering within a Power Automate component that returns data over the network. Microsoft has not published implementation-level details. The Microsoft Security Advisory is the authoritative source for affected components.
Attack Vector
The attack vector is network-based and requires authentication. An attacker with a low-privileged Power Automate account sends crafted requests to the service and receives data belonging to other users or workflows. No social engineering or local access is needed.
No verified public exploit code or proof-of-concept is available at the time of publication. Refer to the Microsoft Security Advisory for technical details once additional guidance is released.
Detection Methods for CVE-2026-40374
Indicators of Compromise
- Unusual Power Automate API access patterns from accounts that do not typically query flow run history or connection metadata.
- Spikes in read operations against Power Automate resources from a single principal within a short time window.
- Authenticated requests originating from atypical IP addresses or geolocations associated with Power Automate API endpoints.
Detection Strategies
- Review Microsoft Purview and Entra ID audit logs for Power Automate activity, focusing on read operations against flows and connections.
- Correlate Power Platform admin activity logs with sign-in logs to identify accounts exhibiting reconnaissance-style behavior.
- Establish baselines for normal flow access per user role and alert on deviations such as bulk enumeration of flows or environments.
Monitoring Recommendations
- Forward Power Platform and Microsoft 365 audit logs to a centralized analytics platform for retention and correlation.
- Monitor for privilege changes and connector creations following suspicious read activity, which can indicate post-disclosure lateral movement.
- Alert on access to high-value flows containing financial, HR, or credential management automations.
How to Mitigate CVE-2026-40374
Immediate Actions Required
- Apply the fix referenced in the Microsoft Security Advisory once available; Power Automate is a cloud service and Microsoft typically deploys server-side fixes automatically.
- Audit Power Automate user assignments and remove unnecessary maker or environment access from low-trust accounts.
- Rotate secrets, API keys, and connection references that may have been exposed through impacted flows.
Patch Information
Microsoft addresses Power Automate vulnerabilities through service-side updates rather than customer-installed patches. Consult the Microsoft Security Advisory for the current remediation status and any required tenant configuration changes.
Workarounds
- Enforce least privilege on Power Platform environments and restrict flow sharing to required users.
- Apply Conditional Access policies to Power Automate to limit access to managed devices and trusted network locations.
- Enable Data Loss Prevention (DLP) policies in the Power Platform admin center to restrict sensitive connector combinations.
- Review and tighten environment security groups to ensure only authorized users can enumerate flows and connections.
# Configuration example: list Power Platform environments and users via PowerShell
# Requires the Microsoft.PowerApps.Administration.PowerShell module
Install-Module -Name Microsoft.PowerApps.Administration.PowerShell -Force
Add-PowerAppsAccount
# Enumerate environments and review role assignments for least-privilege compliance
Get-AdminPowerAppEnvironment | Select-Object DisplayName, EnvironmentName, EnvironmentType
Get-AdminPowerAppEnvironment | ForEach-Object {
Get-AdminPowerAppRoleAssignment -EnvironmentName $_.EnvironmentName
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
