CVE-2026-45497 — Microsoft 365 Copilot Critical Command Injection RCE
AI relevance: A CVSS 9.8 command-injection flaw in the Microsoft 365 Copilot orchestration engine means crafted prompts could trigger arbitrary code execution on the backend that marshals cross-service data across SharePoint, Teams, Exchange, and Microsoft Graph — one of the highest-severity CVEs directly affecting a production AI agent system.
What happened
- CVE-2026-45497 is a critical RCE in Microsoft 365 Copilot, scored CVSS 9.8 with a root cause of command injection in the Copilot orchestration engine.
- Attack vector: a crafted prompt or manipulated data stream could trick the Copilot backend into executing arbitrary commands. The vulnerable component processes natural-language requests, decomposes them into tasks, queries connected data sources (SharePoint, Teams, Exchange, Microsoft Graph), and assembles responses.
- CVSS vector includes network accessibility, low attack complexity, no privileges required, and no user interaction — the combination often called "wormable."
- Silent cloud patch. Microsoft fixed the vulnerability in its backend infrastructure across all global Azure and M365 data centers within 48 hours of the bug-bounty report. No customer-side patch was needed.
- Reachability was narrow. Post-exploitation analysis showed the vulnerable code path was only reachable when Copilot processed certain uncommon prompt types, reducing but not eliminating the practical attack surface.
- Pivot risk was real. Successful exploitation would have allowed privilege escalation to service-level and execution of arbitrary code, with potential to pivot to connected M365 services and exfiltrate data.
- Guest/external exposure. In some scenarios, guest or external participants in Teams chats could have been positioned to reach the vulnerable code path.
Why it matters
This is a landmark CVE for AI agent security. Command injection in an AI orchestration layer — where natural language gets translated into system actions — is a class of vulnerability that will recur across every major AI platform. The fact that Copilot operates with high privilege to marshal cross-service data made this flaw especially dangerous: an exploited instance would have had broad reach across the M365 tenant.
The silent-fix pattern (cloud-side patch without a customer-facing advisory at the time of deployment) is also notable. For cloud-native AI services, customers may have zero visibility into when critical vulnerabilities are introduced and remediated in the backend.
What to do
- Audit Copilot access controls. Even though the backend is patched, verify that service-account permissions, guest-access policies, and Graph API scopes are scoped to least privilege.
- Monitor for cloud-side CVEs. For SaaS AI services, track vendor advisory pages rather than waiting for Patch Tuesday. Critical fixes may land silently.
- Review prompt-input pipelines. Any AI system that converts natural language into system calls needs input validation at the orchestration layer, not just at the model level.