Description
AI command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network.
Published: 2026-03-13
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Immediate Patch
AI Analysis

Impact

The vulnerability involves an AI command injection flaw in the Microsoft 365 Copilot component that lets an attacker, without authorization, cause the application to leak sensitive data over the network. It is a classic command injection, enabling the execution of unintended commands and resulting in the disclosure of confidential information such as user data and configuration. The impact is a loss of confidentiality.

Affected Systems

Affected products span the Microsoft 365 suite, particularly the Copilot implementations for Android and iOS, as well as core Office applications such as Edge, Excel, Loop, OneNote, Outlook, PowerBI, PowerPoint, Teams, and Word on both Android and iOS platforms. No specific affected release numbers are disclosed, so all current releases of these components should be considered vulnerable until Microsoft releases an update.

Risk and Exploitability

The CVSS score of 7.1 indicates moderate to high severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, reducing the likelihood of active exploitation. Based on the description, the attack vector would likely involve a network-based command sent to the Copilot service, requiring the attacker’s ability to interact with the application, possibly through a malicious user prompt. Consequently, the risk to an organization is significant if the affected applications remain unpatched, but current exploitation likelihood is low.

Generated by OpenCVE AI on March 27, 2026 at 11:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Microsoft security update for CVE-2026-26133 to all affected Microsoft 365 Copilot and Office mobile applications.
  • Verify that all devices are running the latest operating system and application versions after applying the patch.
  • If a patch is not yet available, restrict or disable Copilot functionality on mobile devices to reduce the attack surface.

Generated by OpenCVE AI on March 27, 2026 at 11:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-78

Fri, 27 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-78

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-78

Thu, 26 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200

Wed, 25 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-94

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-94

Tue, 24 Mar 2026 13:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-94

Mon, 23 Mar 2026 13:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-94

Mon, 16 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft 365 Copilot For Android
Microsoft 365 Copilot For Ios
Microsoft edge For Android
Microsoft edge For Ios
Microsoft excel For Android
Microsoft excel For Ios
Microsoft loop For Ios
Microsoft onenote
Microsoft outlook For Android
Microsoft outlook For Ios
Microsoft outlook For Mac
Microsoft powerbi For Android
Microsoft powerbi For Ios
Microsoft powerpoint For Android
Microsoft powerpoint For Ios
Microsoft teams For Android
Microsoft teams For Ios
Microsoft word For Android
Microsoft word For Ios
Vendors & Products Microsoft 365 Copilot For Android
Microsoft 365 Copilot For Ios
Microsoft edge For Android
Microsoft edge For Ios
Microsoft excel For Android
Microsoft excel For Ios
Microsoft loop For Ios
Microsoft onenote
Microsoft outlook For Android
Microsoft outlook For Ios
Microsoft outlook For Mac
Microsoft powerbi For Android
Microsoft powerbi For Ios
Microsoft powerpoint For Android
Microsoft powerpoint For Ios
Microsoft teams For Android
Microsoft teams For Ios
Microsoft word For Android
Microsoft word For Ios

Fri, 13 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
Description AI command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network.
Title M365 Copilot Information Disclosure Vulnerability
First Time appeared Microsoft
Microsoft 365 Copilot Android
Microsoft 365 Copilot Ios
Microsoft edge
Microsoft excel
Microsoft loop
Microsoft onenote For Android
Microsoft onenote For Ios
Microsoft outlook
Microsoft outlook 2016
Microsoft power Bi Android
Microsoft power Bi Ios
Microsoft powerpoint
Microsoft teams
Microsoft word
CPEs cpe:2.3:a:microsoft:365_copilot_Android:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:365_copilot_iOS:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:edge:*:*:*:*:*:android:*:*
cpe:2.3:a:microsoft:edge:*:*:*:*:*:iphone_os:*:*
cpe:2.3:a:microsoft:excel:*:*:*:*:*:android:*:*
cpe:2.3:a:microsoft:excel:*:*:iOS:*:*:*:*:*
cpe:2.3:a:microsoft:loop:*:*:iOS:*:*:*:*:*
cpe:2.3:a:microsoft:onenote_for_android:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:onenote_for_ios:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:outlook:*:*:*:*:*:iphone_os:*:*
cpe:2.3:a:microsoft:outlook:*:*:*:*:*:macos:*:*
cpe:2.3:a:microsoft:outlook_2016:*:*:*:*:*:android:*:*
cpe:2.3:a:microsoft:power_bi_android:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:power_bi_iOS:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:powerpoint:*:*:*:*:*:android:*:*
cpe:2.3:a:microsoft:powerpoint:*:*:iOS:*:*:*:*:*
cpe:2.3:a:microsoft:teams:*:*:*:*:*:android:*:*
cpe:2.3:a:microsoft:teams:*:*:*:*:*:iphone_os:*:*
cpe:2.3:a:microsoft:word:*:*:*:*:*:android:*:*
cpe:2.3:a:microsoft:word:*:*:iOS:*:*:*:*:*
Vendors & Products Microsoft
Microsoft 365 Copilot Android
Microsoft 365 Copilot Ios
Microsoft edge
Microsoft excel
Microsoft loop
Microsoft onenote For Android
Microsoft onenote For Ios
Microsoft outlook
Microsoft outlook 2016
Microsoft power Bi Android
Microsoft power Bi Ios
Microsoft powerpoint
Microsoft teams
Microsoft word
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft 365 Copilot Android 365 Copilot For Android 365 Copilot For Ios 365 Copilot Ios Edge Edge For Android Edge For Ios Excel Excel For Android Excel For Ios Loop Loop For Ios Onenote Onenote For Android Onenote For Ios Outlook Outlook 2016 Outlook For Android Outlook For Ios Outlook For Mac Power Bi Android Power Bi Ios Powerbi For Android Powerbi For Ios Powerpoint Powerpoint For Android Powerpoint For Ios Teams Teams For Android Teams For Ios Word Word For Android Word For Ios
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-03-27T22:33:20.396Z

Reserved: 2026-02-11T16:24:51.133Z

Link: CVE-2026-26133

cve-icon Vulnrichment

Updated: 2026-03-16T14:24:27.333Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-16T14:18:26.337

Modified: 2026-03-16T14:53:07.390

Link: CVE-2026-26133

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T20:27:10Z

Weaknesses