Description
Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an unauthorized attacker to disclose information over a network.
Published: 2026-03-19
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

Improper neutralization of special elements used in a command in Microsoft Copilot creates a command‑injection flaw that permits an unauthorized attacker to cause the application to run arbitrary commands and copy sensitive data over the network. The flaw is classified as CWE‑77 and can lead to unauthorized disclosure of information.

Affected Systems

The vulnerability applies to Microsoft Copilot. No specific version ranges are supplied, so all current releases may be affected until a patch is released.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, and the EPSS score of less than 1 % shows a low likelihood of exploitation in the wild. It is not listed in the CISA KEV catalog, suggesting no known active exploitation. The likely attack vector requires access to the Copilot interface; a local application or partner with access to the interface can supply crafted input that is not properly sanitized, enabling command execution and data exfiltration across the network. These inferences are based on the description of command injection and the stated disclosure of information.

Generated by OpenCVE AI on April 2, 2026 at 05:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Microsoft Copilot patch that resolves CVE‑2026‑26136.
  • Verify the patch by reviewing release notes or performing validation tests to ensure the injection flaw is fixed.
  • Monitor system and network logs for signs of command execution or unusual data transfer patterns.
  • If a patch is not yet available, limit network exposure of Copilot components and enforce strict input validation to reduce the risk of injection attacks.

Generated by OpenCVE AI on April 2, 2026 at 05:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:microsoft:copilot:-:*:*:*:*:*:*:*

Mon, 23 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Description Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an unauthorized attacker to disclose information over a network.
Title Microsoft Copilot Information Disclosure Vulnerability
First Time appeared Microsoft
Microsoft copilot
Weaknesses CWE-77
CPEs cpe:2.3:a:microsoft:copilot:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft copilot
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Copilot
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-09T23:26:01.182Z

Reserved: 2026-02-11T16:24:51.133Z

Link: CVE-2026-26136

cve-icon Vulnrichment

Updated: 2026-03-20T16:30:21.116Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T21:17:07.883

Modified: 2026-04-01T12:23:09.570

Link: CVE-2026-26136

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:59:43Z

Weaknesses