Description
Missing authentication for critical function in M365 Copilot allows an unauthorized attacker to disclose information over a network.
Published: 2026-06-18
Score: 9.8 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing authentication check in a critical Microsoft 365 Copilot function allows an attacker who can reach the service over a network to read sensitive data that should be protected. The vulnerability is classified as a severe vulnerability with a CVSS score of 9.8, indicating that exploitation could fully compromise data confidentiality for affected accounts.

Affected Systems

The product impacted is Microsoft 365 Copilot. No specific version numbers are supplied in the CNA data, so the vulnerability is presumed to apply to all currently deployed instances of the Copilot service until a patch is applied.

Risk and Exploitability

The absence of an authentication requirement means that any network‑connected user, without privileged credentials, can trigger the vulnerable operation. The high CVSS score alone signals a high category of risk, and the lack of information on exploitation probability (EPSS not available) and absent KEV listing do not reduce the urgency, given the clear disclosure potential. Attackers could exploit this remotely over the network, leveraging standard HTTP/HTTPS traffic to the Copilot endpoint.

Generated by OpenCVE AI on June 19, 2026 at 00:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Microsoft 365 Copilot security update published by Microsoft via the MSRC advisory
  • Deploy the update across all tenant environments ensuring the fix is in place on all affected servers and devices
  • Restrict network access to the Copilot service endpoints using firewall or segmentation rules until the patch is fully rolled out

Generated by OpenCVE AI on June 19, 2026 at 00:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Missing authentication for critical function in M365 Copilot allows an unauthorized attacker to disclose information over a network.
Title M365 Copilot Information Disclosure Vulnerability
First Time appeared Microsoft
Microsoft 365 Copilot
Weaknesses CWE-306
CPEs cpe:2.3:a:microsoft:365_copilot:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft 365 Copilot
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft 365 Copilot
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-06-18T21:42:39.358Z

Reserved: 2026-06-11T20:33:37.837Z

Link: CVE-2026-54130

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T00:30:17Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function