ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2026-26129 Information Disclosure in Microsoft 365 Copilot via Improper Neutralization of Special Elements

A brief summary of CVE-2026-26129, a high severity information disclosure vulnerability in Microsoft 365 Copilot Business Chat caused by improper neutralization of special elements, allowing unauthenticated network attackers to leak sensitive data. Microsoft has already applied a server side fix requiring no customer action.

CVE Analysis

6 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-07

Brief Summary: CVE-2026-26129 Information Disclosure in Microsoft 365 Copilot via Improper Neutralization of Special Elements
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

An unauthenticated information disclosure vulnerability in Microsoft 365 Copilot Business Chat allowed remote attackers to leak sensitive organizational data without any user interaction or prior authentication. For enterprises that have woven Copilot into daily workflows, where it aggregates emails, chats, documents, and other Microsoft Graph connected content, the exposure surface of this flaw extends well beyond a typical web application bug.

Microsoft disclosed CVE-2026-26129 on May 7, 2026, assigning it a CVSS 3.1 base score of 7.5 (High) while simultaneously elevating the maximum severity to Critical. The vendor has already deployed a server side fix, and no customer action is required. Still, this vulnerability is the third information disclosure flaw in Copilot disclosed in 2026, and it raises important questions about the maturity of input sanitization in large language model integrations.

Technical Information

Root Cause: CWE-138 and Prompt Boundary Failures

The vulnerability is classified under CWE-138: Improper Neutralization of Special Elements. In the context of an AI powered assistant like Copilot Business Chat, this weakness manifests when delimiters, control sequences, or prompt boundaries are not properly sanitized. When special elements embedded in input are mishandled, text that should be treated as passive data can instead be interpreted as instructions by the underlying language model. This can cause the system to retrieve or expose information from the user's work context, which in Copilot's case includes emails, Teams messages, SharePoint documents, and other Microsoft Graph connected resources.

CVSS Vector Breakdown

Microsoft published the following CVSS 3.1 vector string:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C

The individual metrics tell a clear story about the attack surface:

MetricValueImplication
Attack VectorNetworkRemotely exploitable
Attack ComplexityLowNo special conditions required
Privileges RequiredNoneNo authentication needed
User InteractionNoneNo victim action required
ScopeUnchangedImpact confined to the vulnerable component
ConfidentialityHighSignificant data exposure possible
IntegrityNoneNo data modification
AvailabilityNoneNo denial of service
Exploit Code MaturityUnprovenNo public exploit code exists
Remediation LevelOfficial FixVendor has deployed a patch

The combination of no authentication, no user interaction, low attack complexity, and high confidentiality impact is what makes this vulnerability particularly noteworthy. Microsoft's decision to escalate the severity to Critical, despite the 7.5 base score, reflects the reality that Copilot processes aggregated enterprise data. A successful exploit would not just leak a single record; it could potentially expose a broad cross section of organizational content.

What We Do Not Know

Microsoft has not published specific payload examples, the exact parsing contexts affected, or the specific classes of information that could be leaked. The National Vulnerability Database has not yet provided an enriched assessment. Without these details, we cannot describe a precise exploitation flow. What we can say is that the vulnerability fits a well understood pattern: AI systems that fail to properly distinguish between data and instructions at prompt boundaries are susceptible to having their retrieval capabilities turned against the organizations they serve.

Affected Systems and Versions

The vulnerability affects Microsoft 365 Copilot Business Chat, which is a cloud hosted service. Microsoft has not published specific version numbers or build identifiers, as the service is centrally managed and updated on the server side. All organizations using Copilot Business Chat prior to the vendor applied fix were potentially affected.

Vendor Security History

CVE-2026-26129 is the third information disclosure vulnerability disclosed in Microsoft 365 Copilot in 2026 alone:

CVE IDPublication DateWeakness Type
CVE-2026-24307January 23, 2026Improper input validation causing information disclosure
CVE-2026-26133March 20, 2026AI command injection flaw
CVE-2026-26129May 7, 2026Improper neutralization of special elements

This pattern suggests that securing prompt boundaries and neutralizing malicious inputs remains a systemic challenge for large language model integrations, even for a vendor with Microsoft's security resources. The Microsoft Security Response Center has demonstrated consistent rapid response, deploying server side fixes before public disclosure in each case. However, the frequency of these disclosures warrants attention from security teams evaluating the risk posture of AI tools in their environments.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization