Description
Improper access control in M365 Copilot for Desktop allows an unauthorized attacker to perform spoofing locally.
Published: 2026-05-12
Score: 6.2 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper access control in Microsoft M365 Copilot for Desktop allows an unauthorized attacker to perform spoofing locally, potentially enabling the attacker to impersonate other users or actions within the application. This flaw directly undermines the integrity of user identity, which can lead to credential misuse or confusion over user actions.

Affected Systems

The vulnerability affects Microsoft M365 Copilot for Desktop. Specific version information is not provided, so all current releases of the product are presumed susceptible until a patch is applied.

Risk and Exploitability

The CVSS score of 6.2 indicates a moderate severity, and the EPSS score is not available, suggesting no publicly known exploitation data yet. This vulnerability is not listed in the CISA KEV catalog. The likely attack vector is local; an attacker must gain unauthorized local access to execute spoofing actions. No exploitation prerequisites beyond compromising local privileges are explicitly stated in the description.

Generated by OpenCVE AI on May 12, 2026 at 20:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Microsoft update for M365 Copilot for Desktop that addresses the improper access control flaw.
  • Restrict installation and operation of the Copilot application to trusted users with least privilege.
  • Enable and monitor audit logs for authentication and application usage to detect potential spoofing attempts.

Generated by OpenCVE AI on May 12, 2026 at 20:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Improper access control in M365 Copilot for Desktop allows an unauthorized attacker to perform spoofing locally.
Title M365 Copilot for Desktop Spoofing Vulnerability
First Time appeared Microsoft
Microsoft 365 Copilot For Desktop
Weaknesses CWE-284
CPEs cpe:2.3:a:microsoft:365_copilot_for_desktop:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft 365 Copilot For Desktop
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft 365 Copilot For Desktop
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-05-12T17:53:56.476Z

Reserved: 2026-04-21T22:14:12.924Z

Link: CVE-2026-41614

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T18:17:23.363

Modified: 2026-05-12T18:17:23.363

Link: CVE-2026-41614

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T22:30:05Z

Weaknesses