Microsoft has disclosed and fully remediated three critical information disclosure vulnerabilities affecting Microsoft 365 Copilot and Copilot Chat in Microsoft Edge. All three were patched on May 7, 2026, and require no action from end users or administrators. However, their disclosure shines a spotlight on the expanding attack surface created by AI-powered enterprise tools with deep access to organizational data.
The advisories were published by Microsoft’s Security Response Center (MSRC) as part of its cloud CVE transparency initiative, which aims to keep enterprises informed about security issues affecting cloud-hosted services even when client-side patches are not required.
CVE-2026-26129: Business Chat Information Disclosure
The first vulnerability affects Microsoft 365 Copilot’s Business Chat. It stems from improper neutralization of special elements in output used by a downstream component — classified under CWE-74. An unauthorized attacker could exploit this over a network to disclose sensitive information processed by Copilot’s enterprise data aggregation layer.
Although full CVSS metrics were not published for this CVE, its critical severity classification reflects the high confidentiality risk inherent in Copilot’s access model, which aggregates emails, Teams conversations, SharePoint documents, and other sensitive organizational data.
Microsoft credited Estevam Arantes of Microsoft with discovering this vulnerability.
CVE-2026-26164: Network-Based Injection in M365 Copilot
The second vulnerability also targets M365 Copilot and shares the same CWE-74 classification. Its attack profile is particularly concerning:
- Attack vector: Network (remotely exploitable)
- Privileges required: None
- User interaction required: None
- Confidentiality impact: High
- CVSS Score: 7.5 (base) / 6.5 (temporal)
The exploitability assessment is rated “Exploitation Less Likely,” and exploit code maturity is listed as unproven. Microsoft credited both Estevam Arantes and independent researcher 0xSombra for discovering this flaw.
CVE-2026-33111: Command Injection in Edge Copilot Chat
The third vulnerability affects Copilot Chat embedded in Microsoft Edge and is classified under CWE-77 (Improper Neutralization of Special Elements Used in a Command — Command Injection). It shares identical CVSS scores and attack characteristics with CVE-2026-26164.
This vulnerability is particularly notable given Microsoft Edge’s widespread deployment across enterprise environments, where it is often the mandated corporate browser. The attack vector is network-based, requires no privileges, and requires no user interaction — meaning exploitation could theoretically be triggered entirely server-side without any visible activity on the victim’s endpoint.
No acknowledgment was listed in Microsoft’s advisory for the researcher who discovered CVE-2026-33111.
Why AI Productivity Tools Are an Expanding Attack Surface
All three vulnerabilities illustrate a growing concern within the enterprise security community: AI-powered productivity tools like M365 Copilot aggregate and process vast quantities of sensitive organizational data. Weaknesses in how these systems handle injected commands or special elements can allow that data to leak across trust boundaries.
In organizations where Copilot has broad access to corporate data sources — including confidential emails, intellectual property, internal documents, and restricted HR records — the potential blast radius of a successful exploitation is far larger than a typical application vulnerability.
No Immediate Action Required — But Vigilance Is Advised
Since all three vulnerabilities are cloud-side, Microsoft has already deployed mitigations at the service layer. Enterprises do not need to install patches or apply configuration changes. Microsoft has confirmed that none of the three vulnerabilities were publicly disclosed or actively exploited prior to the publication of these advisories.
However, security teams are advised to take the following proactive steps:
- Review Copilot’s data access permissions and enforce least-privilege principles to limit the scope of any future similar flaws
- Audit which sensitive data sources (SharePoint sites, mailboxes, Teams channels) are accessible by Copilot in your tenant
- Monitor Microsoft’s MSRC advisories for any updates indicating active exploitation
- Consider restricting Copilot’s access to the most sensitive data repositories until a broader security review is complete
As AI assistants become more deeply integrated into enterprise workflows, their security posture will increasingly become a central concern for CISOs and security architects. These three CVEs serve as a timely reminder that the attack surface of AI tools extends well beyond the model itself — encompassing the data pipelines, API integrations, and output rendering layers that power them.