Description
Exposure of Sensitive Information to an Unauthorized Actor in Copilot Studio allows a unauthenticated attacker to view sensitive information through network attack vector
Published: 2026-01-22
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

The vulnerability allows an unauthenticated attacker to view sensitive information in Copilot Studio via a network attack vector. This exposure can compromise the confidentiality of data, potentially enabling the attacker to retrieve proprietary or personal information that should be protected. The weakness is identified as CWE‑77, indicating a command injection or similar flaw that can be abused to access protected data.

Affected Systems

The affected product is Microsoft Copilot Studio. No specific version details are provided, implying that all current releases may be vulnerable until a patch is applied.

Risk and Exploitability

The CVSS score of 7.5 places this issue in the High range, yet the EPSS score of less than 1% indicates a very low probability of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog, which may reflect its limited exploitation history. The likely attack vector is a network-based request to Copilot Studio that an unauthenticated user can trigger, utilizing the underlying command injection weakness to read restricted data.

Generated by OpenCVE AI on April 16, 2026 at 07:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Microsoft security update for Copilot Studio as outlined in the Microsoft Security Response Center advisory.
  • Restrict external network access to Copilot Studio endpoints to known and trusted IP ranges to limit exposure.
  • Enable and monitor detailed logging for data access events, review logs regularly for anomalous activity.

Generated by OpenCVE AI on April 16, 2026 at 07:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Feb 2026 13:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:microsoft:copilot_studio:-:*:*:*:*:*:*:*

Fri, 23 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Exposure of Sensitive Information to an Unauthorized Actor in Copilot Studio allows a unauthenticated attacker to view sensitive information through network attack vector
Title Copilot Studio Information Disclosure Vulnerability
First Time appeared Microsoft
Microsoft copilot Studio
Weaknesses CWE-77
CPEs cpe:2.3:a:microsoft:copilot_studio:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft copilot Studio
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C/CR:H/IR:L/AR:L'}

Subscriptions

Microsoft Copilot Studio
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-01T13:49:22.726Z

Reserved: 2025-12-30T18:10:54.846Z

Link: CVE-2026-21520

cve-icon Vulnrichment

Updated: 2026-01-23T20:06:07.593Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-22T23:15:57.657

Modified: 2026-02-02T13:31:19.580

Link: CVE-2026-21520

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T07:45:06Z

Weaknesses