Command Injection Vulnerability in Microsoft M365 Copilot
CVE-2026-42824

6.5MEDIUM

Key Information:

Vendor

Microsoft
Status
Microsoft 365 Copilot
Vendor
CVE Published:
4 June 2026

Badges

πŸ”₯ Trending nowπŸ“ˆ TrendedπŸ“ˆ Score: 4,150πŸ‘Ύ Exploit ExistsπŸ“° News Worthy

What is CVE-2026-42824?

CVE-2026-42824 is a command injection vulnerability identified in Microsoft M365 Copilot, a productivity tool designed to enhance user capabilities with automated assistance and intelligent suggestions within the Microsoft 365 suite. This vulnerability arises from the improper handling of special elements in command inputs, allowing unauthorized attackers to inject malicious commands. If successfully exploited, this could enable attackers to disclose sensitive information across networks, creating significant risks for organizations that rely on M365 Copilot for their operations. Such exposure could lead to unauthorized data access, potentially impacting confidentiality and availability of critical information.

Potential impact of CVE-2026-42824

  1. Data Leakage: The vulnerability can facilitate unauthorized access to sensitive data, leading to potential data breaches that could compromise confidentiality and regulatory compliance for organizations.

  2. Unauthorized Access: Attackers exploiting this vulnerability could gain elevated privileges, allowing them to control or manipulate functionalities within the M365 environment, thereby undermining system integrity.

  3. Operational Disruption: The exploitation could lead to significant interruptions in business operations, as organizations may need to take systems offline for remediation and recovery efforts to mitigate the effects of the breach.

Affected Version(s)

Microsoft 365 Copilot -

News Articles

favicon imageThe Hacker News

One-Click Microsoft 365 Copilot Flaw Could Have Let Attackers Steal Emails, Files, and MFA Codes

Microsoft fixed a critical Copilot Enterprise Search flaw that could expose emails, calendars, and indexed files through one trusted link.

15 hours ago

favicon imageBleepingComputer

New attack turned Microsoft 365 Copilot into 1-click data theft tool

A critical vulnerability chain dubbed SearchLeak in Microsoft 365 Copilot Enterprise could allow attackers to steal sensitive data from a target's mailbox, OneDrive, or SharePoint account through a specially crafted URL.

18 hours ago

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE...
vendor-advisorypatch

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • πŸ“ˆ

    Vulnerability started trending

  • πŸ‘Ύ

    Exploit known to exist

  • πŸ“°

    First article discovered by BleepingComputer

  • Vulnerability published

  • Vulnerability Reserved

.