Microsoft Office Security Restriction Bypass Vulnerability

Release Date: 27 Jan 2026

RISK: Medium Risk

TYPE: Clients - Browsers

A vulnerability was identified in Microsoft Office. An attacker could exploit this vulnerability to trigger security restriction bypass on the targeted system.

 

Note:

CVE-2026-21509 is being exploited in the wild. Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally. An attacker must send a user a malicious Office file and convince them to open it. Hence, the risk level is rated as Medium Risk.

---

Impact

• Security Restriction Bypass

---

System / Technologies affected

• Microsoft 365 Apps for Enterprise
• Microsoft Office 2016
• Microsoft Office 2019
• Microsoft Office LTSC 2021
• Microsoft Office LTSC 2024

---

Solutions

Before installation of the software, please visit the software vendor web-site for more details.

• Customers running Office 2021 and later will be automatically protected via a service-side change, but will be required to restart their Office applications for this to take effect.
• Customers running Office 2016 and 2019 are not protected until they install the security update. Customers on these versions can apply the registry keys described as follows to be immediately protected. Please refer to the below link for the steps.

Apply fixes or mitigations issued by the vendor:

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509

---

Vulnerability Identifier

• CVE-2026-21509

---

Source

• Microsoft

---

Related Link

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509
• https://www.cisa.gov/news-events/alerts/2026/01/26/cisa-adds-five-known-exploited-vulnerabilities-catalog