Description
Url redirection to untrusted site ('open redirect') in Microsoft 365 Copilot's Business Chat allows an unauthorized attacker to elevate privileges over a network.
Published: 2026-06-19
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Microsoft 365 Copilot’s Business Chat contains an open‑redirect flaw where a user can be directed to an untrusted URL. When this redirect occurs on the Business Chat interface, an attacker who is not authorized can gain elevated privileges over the network. The weakness is a classic ‘open redirect’ (CWE‑601) that permits an unauthorized party to change the target of a link while still appearing to originate from a trusted application.

Affected Systems

The vulnerability affects Microsoft 365 Copilot, specifically the Business Chat component. No explicit version information is provided in the advisory, so all current releases of the Business Chat feature are potentially impacted.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity. EPSS data is not available, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is remote via the web interface of Business Chat, requiring the attacker to persuade a user to click the malicious link or craft the redirect themselves. Given the high CVSS, this flaw can be used to elevate an attacker’s privileges on the network if exploited successfully.

Generated by OpenCVE AI on June 19, 2026 at 22:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Microsoft 365 Copilot security update that addresses the open‑redirect bug
  • Disable or restrict the Business Chat feature in your tenant until a patch is applied
  • Implement URL validation on the Business Chat interface to ensure redirects only lead to whitelisted domains
  • Monitor user activity logs for unusual redirect patterns and investigate any incidents promptly

Generated by OpenCVE AI on June 19, 2026 at 22:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description Url redirection to untrusted site ('open redirect') in Microsoft 365 Copilot's Business Chat allows an unauthorized attacker to elevate privileges over a network.
Title Microsoft 365 Copilot's Business Chat Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft 365 Copilot
Weaknesses CWE-601
CPEs cpe:2.3:a:microsoft:365_copilot:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft 365 Copilot
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft 365 Copilot
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-19T20:29:42.232Z

Reserved: 2026-05-19T20:12:27.070Z

Link: CVE-2026-47645

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T23:45:15Z

Weaknesses
  • CWE-601

    URL Redirection to Untrusted Site ('Open Redirect')