CVE-2026-41094 Overview
CVE-2026-41094 is a code injection vulnerability in Microsoft Data Formulator, an AI-assisted data visualization tool. The flaw stems from improper control of generated code [CWE-94], allowing an unauthorized attacker to execute arbitrary code over a network. Exploitation requires user interaction, but no privileges or authentication on the target system. Successful exploitation impacts confidentiality, integrity, and availability of the affected host. Microsoft published the advisory on May 12, 2026, and tracks the issue under Microsoft Vulnerability Advisory CVE-2026-41094.
Critical Impact
Attackers can execute arbitrary code on systems running Microsoft Data Formulator by tricking a user into processing a crafted input, gaining full read, write, and disruption capabilities on the host.
Affected Products
- Microsoft Data Formulator
Discovery Timeline
- 2026-05-12 - CVE-2026-41094 published to the National Vulnerability Database (NVD)
- 2026-05-16 - Last updated in NVD database
Technical Details for CVE-2026-41094
Vulnerability Analysis
Microsoft Data Formulator generates and executes code derived from user-supplied input as part of its AI-driven data transformation workflow. The product fails to properly neutralize directives embedded within that input before passing them to a code generation or execution stage. An attacker who supplies crafted content can inject syntactically valid code that the application later executes in its own process context.
The vulnerability is classified under CWE-94: Improper Control of Generation of Code. Because Data Formulator processes data files, prompts, and transformation specifications, the injection surface spans multiple ingest paths. The attacker does not need credentials, but a legitimate user must open or process the malicious artifact.
Root Cause
The root cause is unsafe construction of executable code from untrusted input. Data Formulator integrates AI prompts with code emission for tasks such as Python data transformation and chart generation. When attacker-controlled tokens flow into that emission step without isolation or sandboxing, they become part of the executed program rather than data values.
Attack Vector
The attack vector is network-based with user interaction required. An attacker delivers a malicious dataset, prompt, configuration file, or transformation specification to a victim. When the victim loads the artifact in Data Formulator, the embedded payload is interpreted as code and runs with the privileges of the user. This grants the attacker control over local files, network access from the host, and the ability to pivot into connected systems.
No public proof-of-concept exploit, CISA KEV listing, or in-the-wild exploitation has been reported at the time of publication. The EPSS probability is 0.063%.
The vulnerability mechanism is not accompanied by verified exploit code. See the Microsoft Security Response Center advisory for vendor-confirmed technical details.
Detection Methods for CVE-2026-41094
Indicators of Compromise
- Unexpected child processes spawned by the Data Formulator process, particularly python.exe, cmd.exe, powershell.exe, or shell interpreters with non-standard command lines.
- Outbound network connections from Data Formulator host processes to unfamiliar domains or IP addresses immediately after a dataset or prompt is loaded.
- New or modified files in user profile directories created shortly after Data Formulator opens an externally sourced artifact.
Detection Strategies
- Hunt for process lineage where Data Formulator is the parent of script interpreters or LOLBins, which deviates from normal visualization workflows.
- Inspect Data Formulator session logs and generated code artifacts for embedded shell commands, os.system, subprocess, eval, or exec calls that were not authored by the user.
- Correlate file open events on .csv, .json, or prompt files received from external sources with subsequent process and network activity.
Monitoring Recommendations
- Enable command-line and process creation auditing on hosts running Data Formulator so generated code execution is captured.
- Forward endpoint telemetry to a centralized analytics platform to correlate suspicious child process and network behavior across users.
- Alert on Data Formulator processes establishing outbound connections to non-Microsoft destinations during data import operations.
How to Mitigate CVE-2026-41094
Immediate Actions Required
- Apply the update referenced in the Microsoft advisory for CVE-2026-41094 to all systems running Data Formulator.
- Inventory hosts and user accounts with Data Formulator installed to confirm patch coverage.
- Instruct users to avoid opening datasets, prompts, or configuration files from untrusted or unsolicited sources until patching is complete.
Patch Information
Microsoft has published remediation guidance through the Microsoft Security Response Center. Refer to the Microsoft Vulnerability Advisory CVE-2026-41094 for the fixed version and installation instructions. Update to the latest released build of Microsoft Data Formulator.
Workarounds
- Restrict Data Formulator execution to dedicated, low-privilege user accounts that cannot access sensitive data or administrative functions.
- Run Data Formulator inside an isolated virtual machine or container to contain the impact of code execution from crafted inputs.
- Block network egress from Data Formulator hosts to all destinations except required Microsoft service endpoints until the patch is deployed.
# Example: restrict outbound traffic from a Data Formulator host on Windows
New-NetFirewallRule -DisplayName "Block DataFormulator Egress" `
-Direction Outbound `
-Program "C:\Path\To\DataFormulator.exe" `
-Action Block
: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
