Description
Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network.
Published: 2026-06-04
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a command injection flaw that permits an unauthorized attacker to disclose information over a network. While the CVE description does not explicitly confirm arbitrary command execution, it is inferred that the injection could potentially allow execution of arbitrary commands, necessitating caution. This weakness falls under CWE-77.

Affected Systems

The affected product is Microsoft 365 Copilot from Microsoft. No specific version ranges are listed in the available data, so all instances of this product are potentially vulnerable until an official fix is released.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves an attacker with unauthorized access to the Copilot interface exploiting the command injection point to exfiltrate data. Proper exploitation would require the attacker to interact with the feature that processes user input without adequate neutralization.

Generated by OpenCVE AI on June 4, 2026 at 23:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Microsoft 365 Copilot update released to fix the command injection vulnerability.
  • Restrict user permissions and API scopes so that only trusted users can execute Copilot commands.
  • Enable logging and monitor for unexplained command execution or data exfiltration, and isolate Copilot traffic via network segmentation.

Generated by OpenCVE AI on June 4, 2026 at 23:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Description Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network.
Title M365 Copilot Information Disclosure Vulnerability
First Time appeared Microsoft
Microsoft 365 Copilot
Weaknesses CWE-77
CPEs cpe:2.3:a:microsoft:365_copilot:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft 365 Copilot
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft 365 Copilot
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-04T22:00:49.042Z

Reserved: 2026-04-30T14:51:12.702Z

Link: CVE-2026-42824

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T23:17:32.077

Modified: 2026-06-04T23:17:32.077

Link: CVE-2026-42824

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T00:00:08Z

Weaknesses