Information Disclosure Vulnerability in M365 Copilot by Microsoft
CVE-2026-26164

7.5HIGH

Key Information:

Vendor: Microsoft
Status: Microsoft 365 Copilot's Business Chat
Vendor: CVE Published:; 7 May 2026

Badges

👾 Exploit Exists📰 News Worthy

What is CVE-2026-26164?

An information disclosure vulnerability exists in M365 Copilot due to improper neutralization of special elements in output. This flaw may allow unauthorized attackers to expose sensitive information over a network, potentially compromising data integrity and privacy for users of the affected product.

Affected Version(s)

Microsoft 365 Copilot's Business Chat -

News Articles

Cybersecuritynews

CVE-2026-26164 CVE-2026-26129

Critical Microsoft 365 Copilot Vulnerabilities Expose sensitive Information

Microsoft has disclosed and fully remediated three critical information disclosure vulnerabilities affecting Microsoft 365 Copilot and Copilot Chat in Microsoft Edge, all released on May 7, 2026, requiring no action from end users or administrators.

3 weeks ago

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE...

vendor-advisorypatch

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

👾
Exploit known to exist
May 9, 2026
📰
First article discovered by Cybersecuritynews
May 9, 2026
Vulnerability published
May 7, 2026
Vulnerability Reserved
Feb 11, 2026

CVE-2026-26164 Data

JSON