Command Injection Vulnerability in Microsoft M365 Copilot
CVE-2026-42824
Key Information:
- Vendor
Microsoft
- Status
- Vendor
- CVE Published:
- 4 June 2026
Badges
What is CVE-2026-42824?
CVE-2026-42824 is a command injection vulnerability identified in Microsoft M365 Copilot, a productivity tool designed to enhance user capabilities with automated assistance and intelligent suggestions within the Microsoft 365 suite. This vulnerability arises from the improper handling of special elements in command inputs, allowing unauthorized attackers to inject malicious commands. If successfully exploited, this could enable attackers to disclose sensitive information across networks, creating significant risks for organizations that rely on M365 Copilot for their operations. Such exposure could lead to unauthorized data access, potentially impacting confidentiality and availability of critical information.
Potential impact of CVE-2026-42824
-
Data Leakage: The vulnerability can facilitate unauthorized access to sensitive data, leading to potential data breaches that could compromise confidentiality and regulatory compliance for organizations.
-
Unauthorized Access: Attackers exploiting this vulnerability could gain elevated privileges, allowing them to control or manipulate functionalities within the M365 environment, thereby undermining system integrity.
-
Operational Disruption: The exploitation could lead to significant interruptions in business operations, as organizations may need to take systems offline for remediation and recovery efforts to mitigate the effects of the breach.
Affected Version(s)
Microsoft 365 Copilot -
News Articles
Copilot, LiteLLM and the AI trust boundary gap
SearchLeak and a three-CVE LiteLLM chain broke the same AI trust boundary in two weeks. A 5-check audit maps each gap to a CVE, a verify command, and a fix.
3 weeks ago
Microsoft Copilot Hacked a Third Time β and IT Teams Can't Fight Back
Varonis researchers used SearchLeak to turn Microsoft 365 Copilot into a one-click data theft tool β the third such exploit in a year. CVE-2026-42824 is now patched.
4 weeks ago
One-Click Microsoft 365 Copilot Flaw Could Have Let Attackers Steal Emails, Files, and MFA Codes
Microsoft fixed a critical Copilot Enterprise Search flaw that could expose emails, calendars, and indexed files through one trusted link.
4 weeks ago
References
EPSS Score
7% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- π
Vulnerability started trending
- πΎ
Exploit known to exist
- π°
First article discovered by BleepingComputer
Vulnerability published
Vulnerability Reserved