Description
AI command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network.
Published: 2026-03-13
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure via Command Injection
Action: Patch Immediately
AI Analysis

Impact

An AI command injection flaw in Microsoft 365 Copilot allows an unauthorized attacker to disclose sensitive information over a network by injecting arbitrary commands into the Copilot processing pipeline. The vulnerability stems from improper sanitization of user input in the Copilot interface, enabling attackers to retrieve data without authentication. This type of weakness directly maps to CWE‑77 (Command Injection).

Affected Systems

The flaw is present in Microsoft 365 Copilot on Android and iOS, as well as in several Microsoft applications that include the Copilot feature on those platforms. These applications are Microsoft Edge, Microsoft Excel, Microsoft PowerPoint, Microsoft Word, Microsoft OneNote, Microsoft Outlook, Microsoft PowerBI, Microsoft Teams, and Microsoft Loop. The exact product versions that may be affected are not listed in the public advisory, so any current releases of the above apps on Android and iOS could be vulnerable until a patch is released.

Risk and Exploitability

The CVSS base score of 7.1 signals a moderate‑to‑high severity. The EPSS metric is below 1 %, indicating that real‑world exploitation is currently uncommon. The vulnerability is not included in the CISA Known Exploited Vulnerabilities catalog. Attackers would most likely target the Copilot AI input interface over a network connection, sending crafted payloads to trigger command injection; this inference is based on the advisory’s description, as the official documentation does not specify a precise attack vector.

Generated by OpenCVE AI on April 8, 2026 at 23:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest updates for Microsoft 365 Copilot and all affected Office and Edge applications using the Microsoft Update Guide link provided.
  • Ensure all Android and iOS installations of the affected applications are up‑to‑date.
  • If updates are not yet available, restrict network access to the Copilot AI service or block outbound traffic to Microsoft Copilot endpoints until a patch is released.
  • Monitor Microsoft security advisories and the CISA catalog for any new information on exploitation or additional workarounds.

Generated by OpenCVE AI on April 8, 2026 at 23:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-78

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft 365 Copilot
Microsoft power Bi
Weaknesses CWE-77
CPEs cpe:2.3:a:microsoft:365_copilot:*:*:*:*:*:android:*:*
cpe:2.3:a:microsoft:365_copilot:*:*:*:*:*:iphone_os:*:*
cpe:2.3:a:microsoft:excel:*:*:*:*:*:iphone_os:*:*
cpe:2.3:a:microsoft:loop:*:*:*:*:*:iphone_os:*:*
cpe:2.3:a:microsoft:onenote:*:*:*:*:*:android:*:*
cpe:2.3:a:microsoft:onenote:-:*:*:*:*:iphone_os:*:*
cpe:2.3:a:microsoft:outlook:*:*:*:*:*:android:*:*
cpe:2.3:a:microsoft:outlook:-:*:*:*:*:macos:*:*
cpe:2.3:a:microsoft:power_bi:*:*:*:*:*:android:*:*
cpe:2.3:a:microsoft:power_bi:-:*:*:*:*:iphone_os:*:*
cpe:2.3:a:microsoft:powerpoint:*:*:*:*:*:iphone_os:*:*
cpe:2.3:a:microsoft:word:*:*:*:*:*:iphone_os:*:*
Vendors & Products Microsoft 365 Copilot
Microsoft power Bi

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-78

Fri, 27 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-78

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-78

Thu, 26 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200

Wed, 25 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-94

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-94

Tue, 24 Mar 2026 13:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-94

Mon, 23 Mar 2026 13:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-94

Mon, 16 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft 365 Copilot For Android
Microsoft 365 Copilot For Ios
Microsoft edge For Android
Microsoft edge For Ios
Microsoft excel For Android
Microsoft excel For Ios
Microsoft loop For Ios
Microsoft onenote
Microsoft outlook For Android
Microsoft outlook For Ios
Microsoft outlook For Mac
Microsoft powerbi For Android
Microsoft powerbi For Ios
Microsoft powerpoint For Android
Microsoft powerpoint For Ios
Microsoft teams For Android
Microsoft teams For Ios
Microsoft word For Android
Microsoft word For Ios
Vendors & Products Microsoft 365 Copilot For Android
Microsoft 365 Copilot For Ios
Microsoft edge For Android
Microsoft edge For Ios
Microsoft excel For Android
Microsoft excel For Ios
Microsoft loop For Ios
Microsoft onenote
Microsoft outlook For Android
Microsoft outlook For Ios
Microsoft outlook For Mac
Microsoft powerbi For Android
Microsoft powerbi For Ios
Microsoft powerpoint For Android
Microsoft powerpoint For Ios
Microsoft teams For Android
Microsoft teams For Ios
Microsoft word For Android
Microsoft word For Ios

Fri, 13 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
Description AI command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network.
Title M365 Copilot Information Disclosure Vulnerability
First Time appeared Microsoft
Microsoft 365 Copilot Android
Microsoft 365 Copilot Ios
Microsoft edge
Microsoft excel
Microsoft loop
Microsoft onenote For Android
Microsoft onenote For Ios
Microsoft outlook
Microsoft outlook 2016
Microsoft power Bi Android
Microsoft power Bi Ios
Microsoft powerpoint
Microsoft teams
Microsoft word
CPEs cpe:2.3:a:microsoft:365_copilot_Android:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:365_copilot_iOS:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:edge:*:*:*:*:*:android:*:*
cpe:2.3:a:microsoft:edge:*:*:*:*:*:iphone_os:*:*
cpe:2.3:a:microsoft:excel:*:*:*:*:*:android:*:*
cpe:2.3:a:microsoft:excel:*:*:iOS:*:*:*:*:*
cpe:2.3:a:microsoft:loop:*:*:iOS:*:*:*:*:*
cpe:2.3:a:microsoft:onenote_for_android:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:onenote_for_ios:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:outlook:*:*:*:*:*:iphone_os:*:*
cpe:2.3:a:microsoft:outlook:*:*:*:*:*:macos:*:*
cpe:2.3:a:microsoft:outlook_2016:*:*:*:*:*:android:*:*
cpe:2.3:a:microsoft:power_bi_android:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:power_bi_iOS:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:powerpoint:*:*:*:*:*:android:*:*
cpe:2.3:a:microsoft:powerpoint:*:*:iOS:*:*:*:*:*
cpe:2.3:a:microsoft:teams:*:*:*:*:*:android:*:*
cpe:2.3:a:microsoft:teams:*:*:*:*:*:iphone_os:*:*
cpe:2.3:a:microsoft:word:*:*:*:*:*:android:*:*
cpe:2.3:a:microsoft:word:*:*:iOS:*:*:*:*:*
Vendors & Products Microsoft
Microsoft 365 Copilot Android
Microsoft 365 Copilot Ios
Microsoft edge
Microsoft excel
Microsoft loop
Microsoft onenote For Android
Microsoft onenote For Ios
Microsoft outlook
Microsoft outlook 2016
Microsoft power Bi Android
Microsoft power Bi Ios
Microsoft powerpoint
Microsoft teams
Microsoft word
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft 365 Copilot 365 Copilot Android 365 Copilot For Android 365 Copilot For Ios 365 Copilot Ios Edge Edge For Android Edge For Ios Excel Excel For Android Excel For Ios Loop Loop For Ios Onenote Onenote For Android Onenote For Ios Outlook Outlook 2016 Outlook For Android Outlook For Ios Outlook For Mac Power Bi Power Bi Android Power Bi Ios Powerbi For Android Powerbi For Ios Powerpoint Powerpoint For Android Powerpoint For Ios Teams Teams For Android Teams For Ios Word Word For Android Word For Ios
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-14T16:36:44.731Z

Reserved: 2026-02-11T16:24:51.133Z

Link: CVE-2026-26133

cve-icon Vulnrichment

Updated: 2026-03-16T14:24:27.333Z

cve-icon NVD

Status : Modified

Published: 2026-03-16T14:18:26.337

Modified: 2026-04-09T18:16:57.460

Link: CVE-2026-26133

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:29:49Z

Weaknesses