Critical Microsoft 365 Copilot Vulnerabilities Expose sensitive Information
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
Microsoft has disclosed and fully remediated three critical information disclosure vulnerabilities affecting Microsoft 365 Copilot<\/a> and Copilot Chat in Microsoft Edge, all released on May 7, 2026, requiring no action from end users or administrators.<\/p>\n Microsoft\u2019s Security Response Center published advisories for CVE-2026-26129, CVE-2026-26164, and CVE-2026-33111 as part of its ongoing commitment to transparency in its cloud services.<\/p>\n All three vulnerabilities carry a Critical severity rating and fall under the Information Disclosure impact category.<\/p>\n Microsoft has already fully mitigated all three flaws on its end, consistent with its cloud CVE transparency initiative outlined in the \u201cToward Greater Transparency: Unveiling Cloud Service CVEs\u201d program.<\/p>\n CVE-2026-26129 affects<\/a> Microsoft 365 Copilot\u2019s Business Chat. The vulnerability stems from improper neutralization of special elements in output used by a downstream component, potentially allowing an unauthorized attacker to disclose sensitive information over a network.<\/p>\n Although full CVSS metrics were not published for this CVE, the critical severity label reflects the high confidentiality risk inherent in Copilot\u2019s enterprise data access model.<\/p>\n CVE-2026-26164<\/a> also targets M365 Copilot and is classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component \u2014 Injection).<\/p>\n The attack vector is network-based, requires no privileges or user interaction, and has a high confidentiality impact. The exploitability assessment is rated \u201cExploitation Less Likely,\u201d and exploit code maturity is listed as unproven.<\/p>\n CVE-2026-33111<\/a> affects Copilot Chat embedded in Microsoft Edge and is classified under CWE-77 (Improper Neutralization of Special Elements Used in a Command \u2014 Command Injection).<\/p>\n It shares the same CVSS score of 7.5 \/ 6.5 (temporal) as CVE-2026-26164, with an identical attack profile: network-accessible, no privileges required, no user interaction, and high confidentiality impact.<\/p>\n This is particularly concerning given the widespread deployment of Edge across enterprise environments.<\/p>\n All three vulnerabilities highlight a growing attack surface unique to AI-powered productivity tools.<\/p>\n Because M365 Copilot aggregates and processes vast amounts of organizational data, including emails, documents, and Teams conversations, weaknesses in how it handles special elements or injected commands can allow sensitive information to leak across trust boundaries.<\/p>\n In environments where Copilot has broad access to corporate data sources, the impact could include exposure of intellectual property, confidential communications, or restricted internal records.<\/p>\n Microsoft credited Estevam Arantes of Microsoft for discovering both CVE-2026-26129 and CVE-2026-26164, with additional credit to independent researcher 0xSombra for CVE-2026-26164.<\/p>\n No acknowledgment was listed for CVE-2026-33111. Microsoft confirmed that none of the three vulnerabilities were publicly disclosed or actively exploited prior to publication.<\/p>\n Since all three are cloud-side vulnerabilities, Microsoft has already deployed mitigations at the service layer. Enterprises do not need to install patches or apply configuration changes.<\/p>\n However, security teams are advised to review Copilot\u2019s data access permissions and enforce least-privilege principles to reduce exposure from any future similar flaws.<\/p>\n Cybercriminals now enter through your suppliers instead of your front door \u2013 Free Webinar<\/a><\/strong><\/p>\n The post Critical Microsoft 365 Copilot Vulnerabilities Expose sensitive Information<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nMicrosoft 365 Copilot Vulnerabilities<\/strong><\/h2>\n