—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Information Disclosure Vulnerability in M365 Copilot

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: HIGH

Software Affected

Microsoft Word, Excel, Teams, Edge, Outlook, OneNote, PowerPoint, PowerBI,365 Copilot for Android

Microsoft Word, Excel, Teams, Edge, Outlook, OneNote, PowerPoint, PowerBI, Loop, 365 Copilot for iOS

Microsoft Outlook for Mac

Overview

A vulnerability has been reported in Microsoft M365 Copilot, which could allow a remote attacker potentially view sensitive information or make limited changes to disclosed information on the targeted system.

Target Audience:

All end-user organizations and individuals using Microsoft M365 Copilot.

Risk Assessment:

High risk of unauthorized access of data and data manipulation.

Impact Assessment:

Information Disclosure .

Description

Microsoft 365 Copilot (M365 Copilot) is an AI assistant integrated into Microsoft 365 apps like Word, Excel, PowerPoint, Outlook, and Teams to help users generate content, analyze data, and summarize information.

A vulnerability has been reported in Microsoft M365 Copilot due to AI command injection. A remote attacker could exploit this vulnerability by embedding malicious instructions within user-controlled content such as emails or documents on the targeted system.

Successful exploitation of this vulnerability could allow an attacker potentially view sensitive information or make limited changes to disclosed information on the targeted system.

Solution

Apply appropriate updates as mentioned in:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26133

References

Microsoft

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26133

CVE Name

CVE-2026-26133

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmm6nJYACgkQ3jCgcSdc

ys8g3BAAkAeFA++q9IhO6uGmvdqv0f6s5kyw+jATHvkDzcQO2ent1bPeOx68/pwq

h7VRgCfJ0ehNRkLplADrzncFTjjSYOz6nVc2PhTj1Eyt2ezwXdrvJS3HeBpuunTH

kZr/r07kROtqcQxgB7Va9HwO2FXgFCILdUG0tea8N8yMQEHiQmL6apxOl3ZkMTUl

dEpC6XUApl44SCcJErtzMSXsQfe/7kl2UTz9zzJAxw1DkxX/xVR2XHzVByeTkG2k

QfeSmsVuf64vcDE4M+JfOxj+0ZovGJFwgt4A3YURWq2kxrOehL00idqTRI+XFpoS

WD0Virai9Qqn7FD/jWx9DiuU5Yc2hXWX97D3pcbAF9bL2kXdipgEkRkDwQDn6Ff8

qsbnzf9BlW51Joyo4NGFxn9IpN6C7Ry+IiLg5+Rt+ZDRXFoh91W7VRtH4KPFmz27

LqxZWv/+Z0TMawy/idehzF4S3Z+Qz+ibnaaIAq/3rI17Ml5cL6L7ZwSrcPUQpShu

YSb482TCfiIxIw625iJYKop0mITYOHk2Nau5FmFibcbJGmG1DUw8GLYSt+dWwmSP

bbjfUVtNaMBju/OR5SQzDoo8GUiO6G7j1l7oRkB4tUszlatUIQLS81d65lhicsDC

vzJRE1L0Lr64aOLHxz4QDQs42qawY/KRL68O/8WJmLAQlBcqnuw=

=nbzF

—–END PGP SIGNATURE—–