CVE-2026-26164EXPLOITEDPATCHED

microsoft · 365_copilot_chat

M365 Copilot Information Disclosure Vulnerability

Description

Improper neutralization of special elements in output used by a downstream component ('injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network.

Affected Products

Vendor	Product	Versions
microsoft	365_copilot_chat	-

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
microsoft	365 copilot	cert_advisory	90%

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26164(vendor-advisory, patch)

Related News (3 articles)

Tier B

BSI Advisories3d ago

[NEU] [mittel] Microsoft 365 Copilot Business Chat: Mehrere Schwachstellen ermöglichen Offenlegung von Informationen

→ No new info (linked only)

Tier C

VulDB3d ago

CVE-2026-26164 | Microsoft 365 Copilots Business Chat Downstream injection

→ No new info (linked only)

Tier A

Microsoft MSRC4d ago

CVE-2026-26164 M365 Copilot Information Disclosure Vulnerability

→ No new info (linked only)

CVSS 3.17.5 HIGH

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26164

CWECWE-74

PublishedMay 7, 2026

Last enriched4d agov2

Trending Score43

Source articles3

Independent3

Info Completeness9/14

Missing: title, epss, kev, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-40372EXP

ASP.NET Core Elevation of Privilege Vulnerability

Trending: 61

HIGHCVE-2026-39836EXP

Panic in Dial and LookupPort when handling NUL byte on Windows in net

Trending: 59

HIGHCVE-2026-42316EXP

KQL injection via kusto.tables.topics.mapping in kafka-sink-azure-kusto

Trending: 51

HIGHCVE-2026-26129EXP

M365 Copilot Information Disclosure Vulnerability

Trending: 43

CRITICALCVE-2026-33109EXP

Azure Managed Instance for Apache Cassandra Remote Code Execution Vulnerability

Trending: 41

Pin to Dashboard

Verification

State: verified

Confidence: 0%

Vulnerability Timeline

CVE Published

May 7, 2026

Discovered by ZDM

May 7, 2026

Updated: description, exploitAvailable, activelyExploited

May 7, 2026

Actively Exploited

May 8, 2026

Exploit Available

May 8, 2026

Patch Available

May 8, 2026

Version History

Last enriched 4d ago

v2Tier A4d ago

Added a detailed description of the vulnerability and marked it as actively exploited with an exploit available.

descriptionexploitAvailableactivelyExploited

via Microsoft MSRC

v14d ago

Initial creation