Microsoft — CVE-2026-41106 Copilot Cross-Tenant Privilege Escalation
AI relevance: Microsoft 365 Copilot orchestrates data across SharePoint, Graph, and Entra ID — when its trust boundary enforcement fails, AI-assisted queries can become a cross-tenant data exfiltration vector.
What happened
- Microsoft disclosed CVE-2026-41106, an elevation-of-privilege flaw in M365 Copilot published July 3, 2026 in the MSRC Security Update Guide.
- The vulnerability allows an authenticated attacker in one M365 tenant to access sensitive data — files, emails, Teams messages — from a separate tenant by exploiting Copilot's integration with SharePoint Online and Entra ID.
- Copilot weaves together data from emails, documents, meetings, and chats, relying on a complex permission chain across Microsoft Graph, SharePoint Online, and Entra ID to enforce who sees what.
- CVE-2026-41106 represents a breakdown in that chain: under certain conditions, Copilot's orchestration engine treated data from separate tenants as if they were part of the same authoritative domain.
- A compromised low-privilege account in Tenant A could craft a malicious prompt causing Copilot to pull data from a document library in Tenant B, bypassing the authentication layer that normally isolates tenants.
- Because Copilot actions are logged as performed by the application (not the user), the real source of the request could be obscured in audit trails.
- Microsoft applied the fix server-side — no customer KB or patch deployment required — reflecting the cloud-native reality that vulnerabilities in SaaS AI services don't wait for Patch Tuesday.
- The advisory tags reference "SharePoint permissions," pointing to SharePoint Online's granular permission model as the likely exploitation vector.
Why it matters
This is the first publicly documented CVE where an AI assistant's cross-service reasoning capability becomes the mechanism for cross-tenant privilege escalation — not just horizontal movement within one organization. Copilot's value (reasoning across all your data) is also its risk: the broader the integration surface, the more trust boundary failures can be amplified into data exposure. Security teams should review audit logs for unusual cross-tenant Copilot activity, focusing on prompts that returned data from unexpected sources.
What to do
- Verify the server-side fix is applied by checking your tenant's MSRC Security Update Guide status.
- Review Copilot audit logs for cross-tenant queries returning data from unexpected SharePoint sites or Entra ID scopes.
- Audit SharePoint permission configurations — excessive or inherited permissions on shared sites are the likely precondition.
- Restrict Copilot's cross-service access scope to the minimum required for your deployment.
- Monitor for anomalous prompt patterns that may indicate exploitation attempts.