A high-severity injection vulnerability in Microsoft Teams for Android allows an authenticated attacker to perform unauthorized disclosure of sensitive session data.

The application is susceptible to an injection vulnerability (CWE-74) due to improper neutralization of special elements in output. This flaw allows an authenticated attacker to read portions of the heap memory, potentially exposing authentication tokens or session data.

The CVSS score of 8.1 reflects the high risk of information disclosure within a corporate communication tool. Successful exploitation could lead to the theft of session tokens, enabling an attacker to impersonate legitimate users and gain unauthorized access to internal corporate communications and sensitive data.

Immediate Action: Update Microsoft Teams for Android to version 1.0.76.2026111302 or later via the official app store.

Proactive Monitoring: Review mobile device management (MDM) logs for unusual application behavior or unauthorized data access patterns originating from mobile endpoints.

Compensating Controls: Enforce strict Conditional Access policies and multi-factor authentication (MFA) to minimize the impact of potentially compromised session tokens.

Public Exploit Available: False

Organizations should prioritize updating all mobile devices running Microsoft Teams to the patched version. Ensuring that the mobile fleet is running the latest software version is essential to mitigating the risk of credential and session token theft.