CVE-2026-54130: M365 Copilot Information Disclosure Vulnerability
Missing authentication for critical function in M365 Copilot allows an unauthorized attacker to disclose information over a network.
Metrics
- CVSS v3.1
- 9.8
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
Missing authentication for a critical function in Microsoft 365 Copilot allows an unauthenticated remote attacker to reach and exploit the vulnerable endpoint over the network with no privileges required. Successful exploitation gives the attacker full read, write, and denial-of-service capability against the affected service, enabling data disclosure, content tampering, and service disruption. HarborGuard is tracking the advisory and will make a patched-image rebuild available the moment Microsoft publishes an upstream fix.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle M365 Copilot components.
AvailableHarborGuard scores this CVE at 9.8 CRITICAL using the published CVSS v3.1 vector and weighs findings against each customer organization's compliance policy before routing alerts to the appropriate team inbox.
AvailableNo upstream fix version has been published for this CVE. HarborGuard re-checks the Microsoft advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released; for customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will follow without manual intervention.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the vulnerable M365 Copilot endpoint over the network; no physical or local access is needed.
- AuthenticationNot required
No credentials or session token of any kind are required; the vulnerable function is reachable by any unauthenticated caller.
- Victim interactionNot required
No user action is needed; the attacker can trigger the vulnerability directly without involving any other party.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental setup.
Blast Radius
- A successful attacker reads sensitive data stored or processed by M365 Copilot, including documents, prompts, and any cached user content the service can access.
- The attacker writes or modifies content within the service, enabling injection of malicious responses, alteration of stored data, or tampering with Copilot outputs.
- The attacker disrupts service availability, causing M365 Copilot to become unresponsive to legitimate users.
- Because all three CVSS impact dimensions score High, the attacker achieves simultaneous confidentiality breach, integrity loss, and availability disruption in a single exploitation chain.
How HarborGuard Handles This
Available on HarborGuard: because no upstream fix exists, HarborGuard monitors the Microsoft advisory on every ingest cycle and will surface a patched-image rebuild the moment a fix version is published. In the interim, customers can apply compensating controls through HarborGuard's policy engine: network-policy isolation rules to restrict which workloads can reach M365 Copilot endpoints, egress filtering to limit outbound exposure, and feature-flag gating to disable Copilot integration in environments where it is not required. Where compliance policy permits, customers with auto-remediation enabled will receive a rebuilt image, a regression test run, and a PR opened against affected workloads within minutes of an upstream patch becoming available, targeting a median time from CVE patch publication to merged PR of around 90 minutes for critical-severity issues.
- Microsoft / Microsoft 365 Copilot-
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C