Description
Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network.
Published: 2026-05-22
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is caused by improper neutralization of special elements used in a command, which allows an unauthorized attacker to cause the Microsoft 365 Copilot service to disclose information over a network. The flaw does not grant full code execution or privilege escalation but enables retrieval of data that the attacker is not permitted to view. The impact is limited to confidentiality breach and does not affect integrity or availability.

Affected Systems

Microsoft 365 Copilot, provided by Microsoft. The advisory does not specify exact versions; any instance of the Copilot service that has not yet received the vendor’s fix remains at risk.

Risk and Exploitability

The CVSS score of 6.5 denotes moderate severity with a confidentiality impact. The EPSS score is not available, so the likelihood of public exploitation cannot be precisely quantified. It is not listed in CISA’s KEV catalog, indicating no confirmed widespread exploitation. The description suggests that an attacker must be able to interact with the Copilot service over the network and supply crafted input that the service incorrectly processes in a command context. Recovering from the flaw requires the attacker to be able to reach the service and influence its command execution path.

Generated by OpenCVE AI on May 22, 2026 at 23:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the Microsoft 365 Copilot update guide and install any available patch for CVE-2026-42827.
  • If a patch is not yet released, restrict network access to the Copilot service by limiting client endpoints and applying firewall or network segmentation rules to reduce exposure to unauthorized users.
  • Monitor Copilot logs for anomalous command activity and enforce strict input validation policies to prevent the execution of unintended commands.

Generated by OpenCVE AI on May 22, 2026 at 23:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 22:30:00 +0000

Type Values Removed Values Added
Description Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network.
Title M365 Copilot Information Disclosure Vulnerability
First Time appeared Microsoft
Microsoft 365 Copilot
Weaknesses CWE-77
CPEs cpe:2.3:a:microsoft:365_copilot:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft 365 Copilot
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft 365 Copilot
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-05-22T22:03:08.198Z

Reserved: 2026-04-30T14:51:12.703Z

Link: CVE-2026-42827

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-23T01:30:05Z

Weaknesses