M365 Copilot
CVE-2026-26133 — M365 Copilot Information Disclosure Vulnerability
Executive Summary
AI command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network.
Overview
7.1
CVSS HIGH
Important
MS Severity
Not Exploited
MS Exploit Status
Less Likely
MS Exploit Likelihood
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N/E:U/RL:O/RC:C
ATTACK VECTOR
Network
ATTACK COMPLEXITY
Low
PRIVILEGES REQUIRED
None
USER INTERACTION
Required
SCOPE
Unchanged
CONFIDENTIALITY
High
INTEGRITY
Low
AVAILABILITY
None
EXPLOIT CODE MATURITY
Unproven
REMEDIATION LEVEL
Official Fix
REPORT CONFIDENCE
Confirmed
Temporal Score: 6.2
EPSS Score
0.00433
probability of exploitation in the next 30 days
0.3441 percentile - updated 2026-06-21
View on FIRST.org
Affected Products
20 affected products
| Product | KB Article | Severity | Impact | Restart Required |
|---|---|---|---|---|
| Microsoft 365 Copilot for Android | Release Notes (Security Update) |
Important | Information Disclosure | Maybe |
| Microsoft 365 Copilot for iOS | Release Notes (Security Update) |
Important | Information Disclosure | Maybe |
| Microsoft Edge for Android | Release Notes (Security Update) |
Important | Information Disclosure | Maybe |
| Microsoft Edge for iOS | Release Notes (Security Update) |
Important | Information Disclosure | Maybe |
| Microsoft Excel for Android | Release Notes (Security Update) |
Important | Information Disclosure | Maybe |
| Microsoft Excel for iOS | Release Notes (Security Update) |
Important | Information Disclosure | Maybe |
| Microsoft Loop for iOS | Release Notes (Security Update) |
Important | Information Disclosure | Maybe |
| Microsoft OneNote for Android | Release Notes (Security Update) |
Important | Information Disclosure | Maybe |
| Microsoft OneNote for iOS | Release Notes (Security Update) |
Important | Information Disclosure | Maybe |
| Microsoft Outlook for Android | Release Notes (Security Update) |
Important | Information Disclosure | Maybe |
| Microsoft Outlook for iOS | Release Notes (Security Update) |
Important | Information Disclosure | Maybe |
| Microsoft Outlook for Mac | Release Notes (Security Update) |
Important | Information Disclosure | Maybe |
| Microsoft PowerBI for Android | Release Note (Security Update) |
Important | Information Disclosure | Maybe |
| Microsoft PowerBI for iOS | Release Note (Security Update) |
Important | Information Disclosure | Maybe |
| Microsoft PowerPoint for Android | Release Notes (Security Update) |
Important | Information Disclosure | Maybe |
| Microsoft PowerPoint for iOS | Release Note (Security Update) |
Important | Information Disclosure | Maybe |
| Microsoft Teams for Android | Release Notes (Security Update) |
Important | Information Disclosure | Maybe |
| Microsoft Teams for iOS | Release Notes (Security Update) |
Important | Information Disclosure | Maybe |
| Microsoft Word for Android | Release Notes (Security Update) |
Important | Information Disclosure | Maybe |
| Microsoft Word for iOS | Release Notes (Security Update) |
Important | Information Disclosure | Maybe |
Patches
2 patches
| Article | Type | Restart |
|---|---|---|
Release Notes |
Security Update | Maybe |
Release Note |
Security Update | Maybe |
Known Exploits
No known exploits have been linked for this CVE yet. When available, exploit references will be sourced from public repositories and may be unverified, incomplete, or non-functional. Always review code carefully before use in any environment.
Acknowledgments
Microsoft has not published researcher acknowledgments for this CVE, or they are not yet reflected in our data source. Check the MSRC advisory directly for the most current credit information.
References
On This Page