Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
AnyDesk Critical 0-Day Vulnerability Lets Attackers Trigger DoS
July 16, 2026
Next.js Launches Monthly Security Releases, Patches 9 Vulnerabilities
July 16, 2026
SonicWall SMA 1000 Zero-Day Actively Exploited
July 16, 2026
Home/CyberSecurity News/Critical Microsoft 365 Copilot Vulnerabilities Expose Sensitive Data
CyberSecurity News

Critical Microsoft 365 Copilot Vulnerabilities Expose Sensitive Data

Key Takeaways Microsoft has patched three critical information disclosure vulnerabilities affecting Microsoft 365 Copilot and Copilot Chat in Microsoft Edge. The flaws, identified as CVE-2026-26129,...

Emy Elsamnoudy
Emy Elsamnoudy
May 9, 2026 3 Min Read
52 0

Key Takeaways

  • Microsoft has patched three critical information disclosure vulnerabilities affecting Microsoft 365 Copilot and Copilot Chat in Microsoft Edge.
  • The flaws, identified as CVE-2026-26129, CVE-2026-26164, and CVE-2026-33111, could lead to the exposure of sensitive data.
  • All vulnerabilities have been fully mitigated by Microsoft as of May 7, 2026, requiring no action from end users or administrators.
  • The issues highlight the unique security challenges posed by AI-powered productivity tools with broad access to enterprise data.

Microsoft has successfully addressed three critical information disclosure vulnerabilities found within its Microsoft 365 Copilot and the Copilot Chat feature integrated into Microsoft Edge. These significant security flaws, which could have exposed sensitive data, were fully remediated on May 7, 2026, with no required actions from users or IT administrators.

Table Of Content

  • Key Takeaways
  • Technical Analysis of Copilot Vulnerabilities
  • CVE-2026-26129: Microsoft 365 Copilot Business Chat
  • CVE-2026-26164: Microsoft 365 Copilot Injection Flaw
  • CVE-2026-33111: Copilot Chat in Microsoft Edge Command Injection
  • What You Should Do

The company’s Security Response Center (MSRC) released advisories for these vulnerabilities—CVE-2026-26129, CVE-2026-26164, and CVE-2026-33111—as part of its commitment to transparent disclosure regarding cloud service security issues.

Each of the identified vulnerabilities carries a critical severity rating and is categorized as an information disclosure type of impact, underscoring the potential for unauthorized access to confidential information.

Microsoft confirmed that all three vulnerabilities have been fully mitigated on its cloud services, aligning with its “Toward Greater Transparency: Unveiling Cloud Service CVEs” initiative, which aims to provide clearer insights into security issues affecting its cloud offerings.

Technical Analysis of Copilot Vulnerabilities

CVE-2026-26129: Microsoft 365 Copilot Business Chat

The vulnerability CVE-2026-26129 impacts the Business Chat component of Microsoft 365 Copilot. This flaw arises from insufficient neutralization of special characters or elements within the output processed by subsequent system components. An attacker could potentially exploit this weakness over a network to reveal sensitive information.

While a full CVSS score was not publicly released for this specific CVE, its critical severity designation reflects the substantial risk to data confidentiality, especially given Copilot’s extensive access to enterprise data.

CVE-2026-26164: Microsoft 365 Copilot Injection Flaw

CVE-2026-26164 also targets Microsoft 365 Copilot and is classified under CWE-74, denoting an “Improper Neutralization of Special Elements in Output Used by a Downstream Component – Injection.”

This vulnerability features a network-based attack vector, requires no specific user privileges or interaction, and poses a high risk to confidentiality. Microsoft’s assessment indicates that exploitation is “Less Likely,” and the maturity of exploit code remains unproven.

CVE-2026-33111: Copilot Chat in Microsoft Edge Command Injection

CVE-2026-33111 affects the Copilot Chat feature embedded within Microsoft Edge. It falls under CWE-77, or “Improper Neutralization of Special Elements Used in a Command – Command Injection.”

This vulnerability shares a CVSS score of 7.5 (base) / 6.5 (temporal) with CVE-2026-26164, exhibiting an identical attack profile: network-accessible, no privileges required, no user interaction, and a high impact on confidentiality. The presence of such a flaw in Microsoft Edge is particularly noteworthy given its widespread use in corporate environments.

These three vulnerabilities collectively underscore the unique and evolving attack surface presented by AI-powered productivity tools. Microsoft 365 Copilot, by design, aggregates and processes vast quantities of organizational data—ranging from emails and documents to Teams conversations. Consequently, any weaknesses in how it handles special elements or injected commands could inadvertently lead to the leakage of sensitive information across trust boundaries.

In scenarios where Copilot possesses broad access to an organization’s data sources, the potential ramifications could include the exposure of proprietary intellectual property, confidential communications, or restricted internal records.

Microsoft acknowledged Estevam Arantes of Microsoft for the discovery of CVE-2026-26129 and CVE-2026-26164. Independent researcher 0xSombra also received credit for their contribution to identifying CVE-2026-26164. No specific acknowledgment was listed for CVE-2026-33111. Microsoft confirmed that none of these vulnerabilities were publicly disclosed or actively exploited prior to the publication of the advisories.

Since all three vulnerabilities are cloud-side issues, Microsoft has already implemented the necessary mitigations at the service layer. This means enterprises are not required to install patches or modify existing configurations.

What You Should Do

  • While direct action is not required for these specific vulnerabilities, security teams should proactively review Copilot’s data access permissions within their environments.
  • Enforce the principle of least privilege for Copilot and other AI tools to minimize the potential impact of any future security flaws.
  • Stay informed about Microsoft’s security advisories and best practices for securing AI-powered services.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchSecurityVulnerability

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

Let’s Encrypt Halts Issuance Over Expired Root Certificate Bug

Next Post

NVIDIA Data Breach Exposes GeForce User Data, Leaked Employee Credentials

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Dutch Police Dismantle €100M Investment Fraud Network, 20 Call Centers Shut Down
July 16, 2026
JetBrains Patches 6 Vulnerabilities in TeamCity, YouTrack, IntelliJ IDEA
July 16, 2026
WhatsApp GhostPairing Flaw Lets Attackers Hijack Accounts
July 16, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Emy Elsamnoudy
Emy Elsamnoudy
Jennifer sherman
Jennifer sherman
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us