What the vulnerability does
01Description
Exposure of sensitive information to an unauthorized actor in Power Automate allows an unauthorized attacker to elevate privileges over a network.
CVE-2025-47966
CRITICAL
CVE-2025-47966: Power Automate Elevation of Privilege Vulnerability
CVSS base score
9.8/10
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Key dates
02Disclosure timeline
June 5, 2025
CVE published
February 26, 2026
Record updated
External resources
03References
Related vulnerabilities
04Related CVE
CVE-2023-42505 Apache Superset: Sensitive information disclosure on db connection details
CVE-2021-22134
CVE-2022-1774 Exposure of Sensitive Information to an Unauthorized Actor in jgraph/drawio
CVE-2022-0384 Video Conferencing with Zoom < 3.8.17 - E-mail Address Disclosure
CVE-2026-32100 swag/platform-security: `/api/_info/config` route exposes information about licenses and active security fixes
