Information Disclosure Vulnerability in Copilot Studio by Microsoft
CVE-2026-21520

7.5HIGH

Key Information:

Vendor

Microsoft
Status
Microsoft Copilot Studio
Vendor
CVE Published:
22 January 2026

Badges

๐Ÿ‘พ Exploit Exists๐Ÿ“ฐ News Worthy

What is CVE-2026-21520?

An information disclosure vulnerability in Copilot Studio allows unauthenticated attackers to access sensitive information through a network attack vector. This flaw can lead to significant privacy risks, as without proper authentication, unauthorized users can exploit the weakness to obtain confidential data and potentially carry out further malicious activities. Organizations utilizing Copilot Studio should take immediate action to apply the necessary patches and safeguard their sensitive information.

Affected Version(s)

Microsoft Copilot Studio -

News Articles

favicon imageDark Reading

Microsoft, Salesforce Patch AI Agent Data Leak Flaws

Two recently fixed prompt injections in Salesforce Agentforce and Microsoft Copilot would have enabled an external attacker to leak sensitive data.

18 hours ago

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE...
vendor-advisorypatch

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • ๐Ÿ‘พ

    Exploit known to exist

  • ๐Ÿ“ฐ

    First article discovered by Dark Reading

  • Vulnerability published

  • Vulnerability Reserved

.