Search criteria

1 vulnerability found for Microsoft PowerToys by Microsoft

CVE-2026-42902 (GCVE-0-2026-42902)

Vulnerability from cvelistv5 – Published: 2026-06-09 17:04 – Updated: 2026-07-08 23:22
VLAI?
Title
Microsoft PowerToys Elevation of Privilege Vulnerability
Summary
Improper authorization in Microsoft PowerToys allows an authorized attacker to elevate privileges locally.
CWE
Assigner
References
Impacted products
Vendor Product Version
Microsoft Microsoft PowerToys Affected: 0.1 , < v0.99.1 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42902",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-10T03:57:44.660372Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-10T10:31:20.364Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Microsoft PowerToys",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "v0.99.1",
              "status": "affected",
              "version": "0.1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:microsoft:power_toys:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "v0.99.1",
                  "versionStartIncluding": "0.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-06-09T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Improper authorization in Microsoft PowerToys allows an authorized attacker to elevate privileges locally."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "CWE-285: Improper Authorization",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-08T23:22:54.523Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Microsoft PowerToys Elevation of Privilege Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42902"
        }
      ],
      "title": "Microsoft PowerToys Elevation of Privilege Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-42902",
    "datePublished": "2026-06-09T17:04:30.968Z",
    "dateReserved": "2026-04-30T22:35:54.967Z",
    "dateUpdated": "2026-07-08T23:22:54.523Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}