Microsoft 365 Copilot Flaws Lead to Data Exposure, Cloud Fix Deployed
Microsoft disclosed and fully mitigated three critical cloud-side information-disclosure vulnerabilities affecting Microsoft 365 Copilot and Copilot Chat in Edge (CVE-2026-26129, CVE-2026-26164, CVE-2026-33111). The flaws—rooted in improper handling of special elements and command injection—could allow leakage of sensitive enterprise data over the network. Mitigations are deployed at the service level; no patches or admin actions are required. Security teams should review Copilot data access permissions and enforce least-privilege to reduce exposure from future flaws.
