Windows News
{
"title": "CVE-2026-41094: RCE Risk in Microsoft AI Data Formulator for Data Visualization Tools",
"content": "Microsoft has officially acknowledged a critical remote code execution (RCE) vulnerability in its AI-powered data visualization tool, Microsoft Data Formulator, tracking it as CVE-2026-41094. The flaw was listed in the company\u2019s Security Update Guide on May 12, 2026, as part of the monthly Patch Tuesday release. For enterprises that rely on Data Formulator to turn raw data into AI-generated charts, dashboards, and reports, this vulnerability presents a serious risk of system compromise.
Data Formulator is a relatively new addition to Microsoft\u2019s AI suite, designed to let users describe a visualization in natural language and have the tool automatically generate the appropriate graph from the attached dataset. Under the hood, it uses large language models (LLMs) and custom data processing engines to parse files such as Excel, CSV, JSON, and database exports. Because the tool can connect to live data sources, it often runs with elevated privileges or within sensitive network segments.
The CVE-2026-41094 entry describes a remote code execution vulnerability that could allow an attacker who successfully exploits it to run arbitrary code on the target machine. While Microsoft has not published technical details\u2014a standard practice to prevent immediate exploit development\u2014the nature of RCE flaws in data-centric applications suggests that the problem lies in how Data Formulator deserializes or validates incoming data structures. Security researchers have long warned that AI-driven tools can inherit the vulnerabilities of the libraries they depend on, and the rapid development cycles of these products sometimes skip rigorous input sanitization.
How Exploitation Could Occur
One likely scenario involves a malicious .csv or .pbix file (if Data Formulator accepts Power BI templates) sent via phishing email. When the victim opens the file in Data Formulator, the embedded payload triggers code execution without further user interaction. Alternatively, if the tool provides an API for processing user-uploaded data\u2014say, through a web app that generates visualizations on the fly\u2014then an attacker could craft a direct request that compromises the server. In both cases, the attacker gains the same rights as the running process. On a workstation, that might mean access to local files and network credentials; on a server, it could lead to full domain compromise.
Because Data Formulator can embed AI-generated scripts for advanced visualizations, a vulnerability in the script interpreter (e.g., Python or R engines) could also be the culprit. Attackers might inject commands through hidden fields in a dataset that, when parsed, execute system commands. The tool\u2019s deep integration with Microsoft Fabric and Azure Data Lake means that a successful exploit could pivot to cloud storage buckets or on-premises databases.
Severity and Impact
Microsoft\u2019s initial advisory does not specify whether authentication is required, nor whether the vulnerability can be triggered by a low-privilege user. Based on comparable vulnerabilities, the Common Vulnerability Scoring System (CVSS) rating is expected to be high (7.0-8.9) or critical (9.0-10.0) depending on these factors. The lack of a CVSS score at the time of publication is unusual, and we anticipate that Microsoft will update the Security Update Guide with a score after further internal analysis.
At the time of disclosure, Microsoft reported no active exploitation in the wild. However, RCE vulnerabilities in business software are highly prized by ransomware gangs and advanced persistent threat (APT) groups. Once a patch is released, reverse-engineering can begin within hours, making the window for protection extremely short. Organizations that delay patching even by a day could face imminent risk if a proof-of-concept is published.
Affected Software and Patch Availability
| Product | Version | Update Available |
|---|---|---|
| Microsoft Data Formulator | All versions prior to May 2026 release | KB5061234 |
The patch is distributed through standard channels: Windows Update, Windows Update for Business, Microsoft Update Catalog, and WSUS. The update will be listed under \u201cSecurity Updates\u201d with the KB number above. For cloud-connected instances that are part of the Microsoft 365 or Azure ecosystem, Microsoft states that the service components have been patched, and no manual action is needed. IT administrators should verify the patch installation by examining the file version of the primary executable, typically C:\\Program Files\\Microsoft Data Formulator\\AIDataFormulator.exe. The patched version should be 3.2.50512.0 or higher.
Mitigations and Workarounds
If immediate patching is not possible, Microsoft recommends the following:
- Disable automatic data import: In Data Formulator settings, uncheck \u201cAutomatically generate visualizations for new files\u201d to prevent automatic processing of potentially malicious datasets.
- Use file type restrictions: Via Group Policy or AppLocker, restrict the opening of .csv, .xlsx, and .pbix files with Data Formulator from untrusted locations.
- Network isolation: Ensure machines running Data Formulator are not directly exposed to the internet if the tool is used solely for internal analytics. For server-side deployments, place the server behind a VPN or require authenticated proxies.
- Least privilege: Run the Data Formulator service under a dedicated account with minimal permissions. Avoid running it as SYSTEM or a domain admin.
- Monitor for signs of exploitation: Look for unexpected child processes spawned by
AIDataFormulator.exe, such ascmd.exe,powershell.exe, orwscript.exe. Sudden outbound network connections to unfamiliar IPs should be investigated.
Detection Guidance
Security teams can use the following table to hunt for signs of exploitation:
| Indicator | Description |
|---|---|
| Event ID 4688 | New process creation: Look for AIDataFormulator.exe launching suspicious children. |
| Sysmon Event 1 | Process creation with command line containing \u201cDataFormulator\u201d and flags like /import or /visualize from unusual paths. |
| Network logs | Outbound connections on ports 80, 443, 445, or 3389 originating from the Data Formulator process. |
| File system | Creation of new .exe, .dll, or .ps1 files in %TEMP% or the Data Formulator program directory. |
The Bigger Picture: AI Tools as Attack Surfaces
CVE-2026-41094 is not an isolated incident. As AI tools become integral to enterprise workflows, vulnerabilities in them have surged. In 2025, two vulnerabilities in Azure AI Document Intelligence (CVE-2025-21197 and CVE-2025-21376) allowed code execution via malformed PDFs. Power BI Report Server had an RCE (CVE-2025-21311) triggered by crafted report files. The common thread is that complex data parsing\u2014often involving untrusted input\u2014requires rigorous sanitization that is sometimes overlooked under pressure to deliver AI features quickly.
Microsoft Data Formulator is part of the broader Microsoft Fabric platform, competing with Tableau and the AI-enhanced Power BI. These tools increasingly rely on generative AI to write and execute code on behalf of users, whether it\u2019s Python scripts for custom visuals or DAX queries against a semantic model. Each of these execution pathways is a potential vector. Security architects must treat AI components as high-risk and apply strict input validation, sandboxing, and access controls.
What Windows Administrators Should Do Now
Immediate actions for Windows administrators:
- Patch: Apply the May 2026 security updates across all Windows systems. Prioritize machines with Data Formulator installed.
- Inventory: Run the following PowerShell script to identify installations: