anonhaven
Ad

CVE-2026-26133

HIGH CVSS 3.1: 7.1 EPSS 0.06%
Updated Mar 16, 2026
Microsoft
Parameter Value
CVSS 7.1 (HIGH)
Affected Versions 1.0 — 8.3.1
Fixed In 2.106.26020617
Vendor Microsoft
Public PoC No

AI command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
Required
User action required

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
Low
Partial data modification
Availability
None
No disruption

CVSS Vector v3.1

Vulnerable Products 20

Configuration From (including) Up to (excluding)
Microsoft Onenote_For_Ios
cpe:2.3:a:microsoft:onenote_for_ios:*:*:*:*:*:*:*:*
 1.0.0 2.106.26020617
Microsoft Outlook
cpe:2.3:a:microsoft:outlook:*:*:*:*:*:macos:*:*
 1.0.0 5.2605
Microsoft Outlook_2016
cpe:2.3:a:microsoft:outlook_2016:*:*:*:*:*:android:*:*
 1.0 5.2605
Microsoft 365_Copilot_Ios
cpe:2.3:a:microsoft:365_copilot_iOS:*:*:*:*:*:*:*:*
 1.0 2.107.2
Microsoft Edge
cpe:2.3:a:microsoft:edge:*:*:*:*:*:android:*:*
 1.0.0 145.3800.99
Microsoft Teams
cpe:2.3:a:microsoft:teams:*:*:*:*:*:iphone_os:*:*
 2.0.0 8.3.1
Microsoft Teams
cpe:2.3:a:microsoft:teams:*:*:*:*:*:android:*:*
 1.0.0 1.0.0.2026043102
Microsoft Excel
cpe:2.3:a:microsoft:excel:*:*:*:*:*:android:*:*
 16.0.0.0 16.0.19822.20038
Microsoft Word
cpe:2.3:a:microsoft:word:*:*:*:*:*:android:*:*
 16.0.0.0 16.0.19822.20038
Microsoft Powerpoint
cpe:2.3:a:microsoft:powerpoint:*:*:iOS:*:*:*:*:*
 1.0 2.106.26020617
Microsoft Word
cpe:2.3:a:microsoft:word:*:*:iOS:*:*:*:*:*
 2.0.0 2.106.26020617
Microsoft Loop
cpe:2.3:a:microsoft:loop:*:*:iOS:*:*:*:*:*
 2.0.0 2.106.26020617
Microsoft Outlook
cpe:2.3:a:microsoft:outlook:*:*:*:*:*:iphone_os:*:*
 1.0.0 5.2605
Microsoft 365_Copilot_Android
cpe:2.3:a:microsoft:365_copilot_Android:*:*:*:*:*:*:*:*
 1.0 16.0.19815.10000
Microsoft Power_Bi_Android
cpe:2.3:a:microsoft:power_bi_android:*:*:*:*:*:*:*:*
 2.0.0 2.2.260210.21290750
Microsoft Power_Bi_Ios
cpe:2.3:a:microsoft:power_bi_iOS:*:*:*:*:*:*:*:*
 1.0.0 1.2.260302.2193910
Microsoft Onenote_For_Android
cpe:2.3:a:microsoft:onenote_for_android:*:*:*:*:*:*:*:*
 16.0.1 16.0.19725.20142
Microsoft Edge
cpe:2.3:a:microsoft:edge:*:*:*:*:*:iphone_os:*:*
 1.0.0.0 145.3800.99
Microsoft Powerpoint
cpe:2.3:a:microsoft:powerpoint:*:*:*:*:*:android:*:*
 16.0.0.0 16.0.19822.20038
Microsoft Excel
cpe:2.3:a:microsoft:excel:*:*:iOS:*:*:*:*:*
 1.0 2.106.26020617

References 1

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26133
M365 Copilot Information Disclosure Vulnerability
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-3910

Google

8.8

CVE-2026-3909

Google

8.8

CVE-2026-3940

Microsoft

5.3

CVE-2026-3939

Microsoft

5.3

CVE-2026-3936

Google

8.8