HIGHCVE-2026-26133Published Modified CNA microsoft
CVE-2026-26133: M365 Copilot Information Disclosure Vulnerability
AI command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network.
Metrics
- CVSS v3.1
- 7.1
- Severity
- HIGH
- Fixed in
- 1.0.0.2026043102
- Affected Products
- 20
Fix available
1.0.0.20260431021.2.260302.21939102.2.260210.212907502.106.260206172.107.25.26058.3.116.0.19725.2014216.0.19815.1000016.0.19822.20038145.3800.99
Patch commits
Affected packages
- Microsoft / Microsoft 365 Copilot for Android< 16.0.19815.10000 (from 1.0)
- Microsoft / Microsoft 365 Copilot for iOS< 2.107.2 (from 1.0)
- Microsoft / Microsoft Edge for Android< 145.3800.99 (from 1.0.0)
- Microsoft / Microsoft Edge for iOS< 145.3800.99 (from 1.0.0.0)
- Microsoft / Microsoft Excel for Android< 16.0.19822.20038 (from 16.0.0.0)
- Microsoft / Microsoft Excel for iOS< 2.106.26020617 (from 1.0)
- Microsoft / Microsoft Loop for iOS< 2.106.26020617 (from 2.0.0)
- Microsoft / Microsoft OneNote< 2.106.26020617 (from 1.0.0)
- Microsoft / Microsoft OneNote for Android< 16.0.19725.20142 (from 16.0.1)
- Microsoft / Microsoft Outlook for Android< 5.2605 (from 1.0)
- Microsoft / Microsoft Outlook for iOS< 5.2605 (from 1.0.0)
- Microsoft / Microsoft Outlook for Mac< 5.2605 (from 1.0.0)
- Microsoft / Microsoft PowerBI for Android< 2.2.260210.21290750 (from 2.0.0)
- Microsoft / Microsoft PowerBI for iOS< 1.2.260302.2193910 (from 1.0.0)
- Microsoft / Microsoft PowerPoint for Android< 16.0.19822.20038 (from 16.0.0.0)
- Microsoft / Microsoft PowerPoint for iOS< 2.106.26020617 (from 1.0)
- Microsoft / Microsoft Teams for Android< 1.0.0.2026043102 (from 1.0.0)
- Microsoft / Microsoft Teams for iOS< 8.3.1 (from 2.0.0)
- Microsoft / Microsoft Word for Android< 16.0.19822.20038 (from 16.0.0.0)
- Microsoft / Microsoft Word for iOS< 2.106.26020617 (from 2.0.0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N/E:U/RL:O/RC:C