Description
Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an authorized attacker to execute code over a network.
Published: 2026-06-04
Score: 7.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper neutralization of special elements used in a command, leading to command injection in Microsoft 365 Copilot. An attacker with authorized access can invoke arbitrary system commands over a network, potentially compromising confidentiality, integrity, and availability of the affected environment.

Affected Systems

Microsoft 365 Copilot is affected. No specific version information is disclosed, so all current releases should be checked for the presence of the fix.

Risk and Exploitability

The CVSS score is 7.7, representing a high severity. The EPSS score is not available, and the vulnerability is not listed in CISA KEV. An attacker requires authorized, authenticated access to a Copilot session, and the exploitation path involves providing specially crafted input that the system fails to sanitize, enabling remote code execution.

Generated by OpenCVE AI on June 4, 2026 at 23:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Microsoft update for Microsoft 365 Copilot that includes the fix for CVE-2026-45497
  • Restrict user permissions to prevent execution of arbitrary commands through Copilot
  • Monitor logs and activity for unexpected command execution or abnormal behavior

Generated by OpenCVE AI on June 4, 2026 at 23:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Description Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an authorized attacker to execute code over a network.
Title Microsoft M365 Copilot Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft 365 Copilot
Weaknesses CWE-77
CPEs cpe:2.3:a:microsoft:365_copilot:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft 365 Copilot
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L/E:U/RL:O/RC:C'}

Subscriptions

Microsoft 365 Copilot
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-05T10:49:30.438Z

Reserved: 2026-05-12T16:07:22.618Z

Link: CVE-2026-45497

cve-icon Vulnrichment

Updated: 2026-06-05T10:49:26.307Z

cve-icon NVD

Status : Received

Published: 2026-06-04T23:17:32.250

Modified: 2026-06-04T23:17:32.250

Link: CVE-2026-45497

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T00:45:26Z

Weaknesses