Description
Missing authentication for critical function in M365 Copilot allows an unauthorized attacker to disclose information over a network.
Published: 2026-06-04
Score: 6.5 Medium
EPSS: 7.6% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authentication flaw that permits an unauthorized attacker to call a critical function in Microsoft 365 Copilot and retrieve sensitive data over the network. The analysis indicates that the exposure is limited to information disclosure; no evidence of command execution is reported, even though the flaw is classified as CWE‑77.

Affected Systems

Microsoft 365 Copilot is the affected product. Because no specific version ranges are provided, all instances of this product are potentially vulnerable until Microsoft releases an official fix.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. An EPSS score of 8% shows a moderate likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalogue, suggesting no publicly known exploits have been documented. The likely attack vector is network‑based, inferred from the description that an unauthenticated attacker can invoke a critical function over the network. The attacker does not need privileged access, but must be able to reach the Copilot interface to exploit the missing authentication.

Generated by OpenCVE AI on June 24, 2026 at 12:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any Microsoft 365 Copilot updates or security patches that address the missing authentication flaw.
  • Restrict access to the Copilot interface by enforcing network segmentation and role‑based authentication to reduce exposure.
  • Enable and monitor audit logs for privileged or anomalous calls to the exposed critical function to detect potential misuse.

Generated by OpenCVE AI on June 24, 2026 at 12:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network. Missing authentication for critical function in M365 Copilot allows an unauthorized attacker to disclose information over a network.

Mon, 08 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft copilot
CPEs cpe:2.3:a:microsoft:copilot:-:*:*:*:*:*:*:*
Vendors & Products Microsoft copilot

Sat, 06 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Description Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network.
Title M365 Copilot Information Disclosure Vulnerability
First Time appeared Microsoft
Microsoft 365 Copilot
Weaknesses CWE-77
CPEs cpe:2.3:a:microsoft:365_copilot:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft 365 Copilot
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft 365 Copilot Copilot
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-23T17:45:37.325Z

Reserved: 2026-04-30T14:51:12.702Z

Link: CVE-2026-42824

cve-icon Vulnrichment

Updated: 2026-06-06T17:26:12.765Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T23:17:32.077

Modified: 2026-06-08T13:52:42.923

Link: CVE-2026-42824

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T12:15:05Z

Weaknesses
  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')