Microsoft 365 Copilot — Three Critical Info Disclosure CVEs Patched
AI relevance: M365 Copilot aggregates enterprise data from emails, documents, and Teams conversations — injection flaws in how the AI neutralizes special elements in its output can leak sensitive organizational data across trust boundaries.
- CVE-2026-26129 affects M365 Copilot Business Chat. Classified as improper neutralization of special elements in output used by a downstream component. Critical severity, high confidentiality impact.
- CVE-2026-26164 also targets M365 Copilot, classified under CWE-74 (Improper Neutralization of Special Elements in Output — Injection). Network-based, no privileges required, no user interaction, high confidentiality impact. Exploitability rated "less likely."
- CVE-2026-33111 affects Copilot Chat embedded in Microsoft Edge, classified under CWE-77 (Command Injection). CVSS 7.5 / 6.5 temporal. Same attack profile: network-accessible, no auth, no user interaction.
- All three are cloud-side vulnerabilities — Microsoft has already deployed mitigations at the service layer. No patches required from end users or administrators.
- No evidence of public disclosure or active exploitation prior to publication.
- CVE-2026-26129 and CVE-2026-26164 were credited to Estevam Arantes (Microsoft), with additional credit to independent researcher 0xSombra for CVE-2026-26164.
Why it matters
AI assistants with broad access to corporate data create a new attack surface: vulnerabilities in output handling can allow sensitive information — intellectual property, confidential communications, restricted internal records — to leak across trust boundaries. The pattern of multiple injection-class flaws in Copilot within a single patch cycle suggests ongoing difficulty with output sanitization in AI products that consume and re-emit enterprise data.
What to do
- Review Copilot data access permissions and enforce least-privilege access to reduce exposure from any future similar flaws.
- Audit which data sources (SharePoint, Teams, email, OneDrive) are connected to Copilot and restrict sensitive repositories.
- Monitor Microsoft's cloud CVE transparency program for ongoing Copilot advisories — these are service-side fixes with no patch action required, but awareness matters for risk assessment.