medium advisory May 7, 2026

CVE-2026-26164 M365 Copilot Information Disclosure Vulnerability

CVE-2026-26164 is an information disclosure vulnerability in M365 Copilot due to improper neutralization of special elements, allowing unauthorized information disclosure over a network.

CVE-2026-26164 is an information disclosure vulnerability affecting Microsoft’s M365 Copilot. This vulnerability arises from the improper neutralization of special elements within the output generated by Copilot. An attacker could potentially exploit this flaw to gain unauthorized access to sensitive information by leveraging the network. The vulnerability’s impact centers around the potential leakage of data, which could have implications for data privacy and security within organizations utilizing M365 Copilot. Successful exploitation could lead to the exposure of confidential data, impacting the confidentiality of business-critical information.

Attack Chain

The attacker crafts a specific input containing special elements designed to exploit the vulnerability in M365 Copilot.
This input is submitted to M365 Copilot through a network request, potentially via a specially crafted query or interaction.
M365 Copilot processes the malicious input without properly neutralizing the special elements.
The un-neutralized special elements are included in the output generated by Copilot.
This output, now containing the malicious special elements, is transmitted over the network.
The attacker intercepts or gains access to the network traffic containing the compromised output.
The attacker extracts the sensitive information that was inadvertently disclosed due to the improper neutralization of special elements.

Impact

Successful exploitation of CVE-2026-26164 can lead to the disclosure of sensitive information handled by M365 Copilot. The specific types of information disclosed will vary depending on the context of the Copilot interaction and the nature of the crafted malicious input. This could include Personally Identifiable Information (PII), confidential business data, or other proprietary information.

Recommendation

Apply the security update released by Microsoft to patch CVE-2026-26164 on M365 Copilot to prevent exploitation of the vulnerability (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26164).
Deploy the provided Sigma rule to detect potential exploitation attempts against M365 Copilot.

Detection coverage 2

Detects CVE-2026-26164 Exploitation Attempt - Suspicious Input to M365 Copilot

medium

Detects potential attempts to exploit CVE-2026-26164 by identifying suspicious patterns in input to M365 Copilot that could lead to information disclosure.

sigma tactics: discovery techniques: T1589.002 sources: webserver

Detects CVE-2026-26164 Exploitation Attempt - Network Data Exfiltration

medium

Detects potential data exfiltration attempts related to CVE-2026-26164 by monitoring network traffic for unusually large responses from M365 Copilot.

sigma tactics: discovery techniques: T1589.002 sources: webserver

Detection queries are available on the platform. Get full rules →