Microsoft Power Automate Desktop Information Disclosure Vulnerability

A vulnerability in Power Automate Desktop allows an authorized attacker to disclose sensitive information over the network. This issue arises from a logging problem that causes values stored in variables marked as 'Sensitive' within Power Automate Desktop flows to potentially appear in execution logs. These logs can be accessed by users with Owner, Co-Owner, or Runner permissions for the affected desktop flow.

Impact

Exploitation of this vulnerability could lead to unauthorized disclosure of sensitive information, specifically values from variables designated as 'Sensitive' in Power Automate Desktop flows. These values may be included in execution logs uploaded to the Power Automate portal, where they can be viewed by users with appropriate permissions.

Remediation

Users can download the security update for Power Automate for Desktop from the Microsoft Update Catalog. Instructions for applying the update are available in the release notes.