Microsoft disclosed and patched CVE-2026-32185, an Important spoofing vulnerability in Microsoft Teams for Android caused by improper access to files or directories, mapped to CWE-552. The flaw could allow an unauthorized local attacker to spoof trusted elements in the app and potentially trick users into accepting malicious content or communications. Microsoft assigned the issue a CVSS 3.1 score of 5.5 and said exploitation requires local access and user interaction, but could still have a high confidentiality impact.
Microsoft said the vulnerability was not publicly disclosed, not exploited in the wild, and had no public proof-of-concept at the time of publication, with exploitation assessed as less likely. The company released a fix through the Google Play Store and advised users to update Microsoft Teams for Android to version 1.0.0.2026092103 or later. Microsoft credited Ofek Levin of Enclave with responsibly reporting the issue.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
On 2026-05-21, Microsoft announced that the security update for Microsoft Teams for Android was available and advised customers to install it. The fix was distributed via Google Play Store, with affected users told to update to build 1.0.0.2026092103 or later.
On 2026-05-12, Microsoft published an advisory for CVE-2026-32185, rating it Important with a CVSS 3.1 score of 5.5. Microsoft said the flaw enabled local spoofing in Teams for Android and that it had not been publicly disclosed or exploited in the wild at that time.
Microsoft credited security researcher Ofek Levin of Enclave with responsibly disclosing CVE-2026-32185, a spoofing flaw in Microsoft Teams for Android caused by improper access to files or directories.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.