Description
Improper neutralization of special elements in M365 Copilot allows an unauthorized attacker to disclose information over a network.
Published: 2026-05-07
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in Microsoft 365 Copilot’s Business Chat arises from an improper neutralization of special elements. When an attacker can influence the Chat input to include such elements, the system incorrectly processes them, allowing the attacker to read sensitive data that is normally protected. The primary effect is the accidental disclosure of private information to an unauthorized party.

Affected Systems

All instances of Microsoft 365 Copilot’s Business Chat are potentially impacted, as no specific version constraints are listed by the vendor. Users who enable or regularly use the Business Chat feature are at risk.

Risk and Exploitability

With a CVSS score of 7.5 the flaw is classified as high severity for information disclosure. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, indicating limited public exploitation evidence. The likely attack vector requires the attacker to inject or manipulate Chat content, a capability that is limited to accounts with access to the Business Chat interface or to public-facing chat surfaces that accept user input.

Generated by OpenCVE AI on May 7, 2026 at 22:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Microsoft 365 Copilot update through the Microsoft 365 admin center so the flaw is fixed by Microsoft
  • Restrict access to Business Chat by limiting it to trusted users or disabling the feature entirely if not needed
  • Configure and enforce stricter input validation or content filtering for chat messages to prevent malicious special elements

Generated by OpenCVE AI on May 7, 2026 at 22:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description Improper neutralization of special elements in M365 Copilot allows an unauthorized attacker to disclose information over a network.
Title M365 Copilot Information Disclosure Vulnerability
First Time appeared Microsoft
Microsoft 365 Copilot Business Chat
Weaknesses CWE-138
CPEs cpe:2.3:a:microsoft:365_copilot_business_chat:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft 365 Copilot Business Chat
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft 365 Copilot Business Chat
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-05-07T20:58:24.050Z

Reserved: 2026-02-11T15:52:13.912Z

Link: CVE-2026-26129

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-07T22:16:33.607

Modified: 2026-05-07T22:16:33.607

Link: CVE-2026-26129

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T23:00:07Z

Weaknesses