Microsoft Silently Patches Critical Copilot Vulnerabilities That Exposed Corporate Data

Microsoft has silently patched three critical Microsoft 365 Copilot vulnerabilities that could have allowed attackers to extract sensitive corporate data. The flaws, rooted in command injection weaknesses within both the core platform and Edge Copilot Chat, exposed a massive attack surface for enterprises relying on AI to process internal emails, documents, and private conversations.

The vulnerabilities were classified as "Critical" by the Microsoft Security Response Center under the information disclosure category. Fortunately for IT administrators, the fixes were deployed entirely server-side, meaning no manual updates or system reboots are required to secure affected environments. This public disclosure aligns with Microsoft's recent transparency initiative for its cloud services.

The three flaws share similar attack profiles, leveraging the improper handling of special elements to execute unauthorized commands. Security researchers Estevam Arantes and an independent researcher known as "0xSombra" were credited with discovering the vulnerabilities.

• CVE-2026-26129: Directly impacted Microsoft 365 Business Chat, allowing unauthorized attackers to extract sensitive information over the network due to improper input processing.
• CVE-2026-26164: Affected M365 Copilot through failures in neutralizing elements, potentially leading to direct code injection. This flaw carries a CVSS score of 7.5 and required no user interaction or elevated privileges.
• CVE-2026-33111: Specifically targeted the Copilot Chat embedded in Microsoft Edge, opening the door for potential command injections directly within the browser environment.

Microsoft confirmed that none of the vulnerabilities were actively exploited in the wild or publicly disclosed prior to the deployment of the server-side patch.

While the immediate threat has been neutralized at the infrastructure level, the incident highlights the unique risks of AI productivity tools. Because Copilot aggregates massive volumes of internal data, security experts recommend the following proactive measures:

• Audit Data Permissions: Regularly review the access permissions granted to AI tools, ensuring Copilot can only access data strictly necessary for daily operations.
• Implement Zero Trust: Apply Zero Trust architecture principles to internal documents and SharePoint repositories to limit the potential blast radius during an injection attack.

The rapid integration of generative AI into enterprise workflows has created a lucrative new vector for cybercriminals. Traditional security perimeters are designed to keep attackers out of the network, but prompt injection bypasses these defenses by manipulating the AI that already has legitimate access to the data.

As Microsoft continues to embed Copilot deeper into Windows and Office, the responsibility will increasingly shift toward strict internal data governance. If an AI assistant can read a confidential HR document or a proprietary financial spreadsheet, an attacker exploiting a zero-day flaw can likely read it too. The fact that these flaws required zero user interaction to execute proves that AI security must move beyond user awareness training and focus heavily on strict data compartmentalization.