Introduction
An unauthenticated information disclosure vulnerability in Microsoft 365 Copilot Business Chat allowed remote attackers to leak sensitive organizational data without any user interaction or prior authentication. For enterprises that have woven Copilot into daily workflows, where it aggregates emails, chats, documents, and other Microsoft Graph connected content, the exposure surface of this flaw extends well beyond a typical web application bug.
Microsoft disclosed CVE-2026-26129 on May 7, 2026, assigning it a CVSS 3.1 base score of 7.5 (High) while simultaneously elevating the maximum severity to Critical. The vendor has already deployed a server side fix, and no customer action is required. Still, this vulnerability is the third information disclosure flaw in Copilot disclosed in 2026, and it raises important questions about the maturity of input sanitization in large language model integrations.
Technical Information
Root Cause: CWE-138 and Prompt Boundary Failures
The vulnerability is classified under CWE-138: Improper Neutralization of Special Elements. In the context of an AI powered assistant like Copilot Business Chat, this weakness manifests when delimiters, control sequences, or prompt boundaries are not properly sanitized. When special elements embedded in input are mishandled, text that should be treated as passive data can instead be interpreted as instructions by the underlying language model. This can cause the system to retrieve or expose information from the user's work context, which in Copilot's case includes emails, Teams messages, SharePoint documents, and other Microsoft Graph connected resources.
CVSS Vector Breakdown
Microsoft published the following CVSS 3.1 vector string:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
The individual metrics tell a clear story about the attack surface:
| Metric | Value | Implication |
|---|---|---|
| Attack Vector | Network | Remotely exploitable |
| Attack Complexity | Low | No special conditions required |
| Privileges Required | None | No authentication needed |
| User Interaction | None | No victim action required |
| Scope | Unchanged | Impact confined to the vulnerable component |
| Confidentiality | High | Significant data exposure possible |
| Integrity | None | No data modification |
| Availability | None | No denial of service |
| Exploit Code Maturity | Unproven | No public exploit code exists |
| Remediation Level | Official Fix | Vendor has deployed a patch |
The combination of no authentication, no user interaction, low attack complexity, and high confidentiality impact is what makes this vulnerability particularly noteworthy. Microsoft's decision to escalate the severity to Critical, despite the 7.5 base score, reflects the reality that Copilot processes aggregated enterprise data. A successful exploit would not just leak a single record; it could potentially expose a broad cross section of organizational content.
What We Do Not Know
Microsoft has not published specific payload examples, the exact parsing contexts affected, or the specific classes of information that could be leaked. The National Vulnerability Database has not yet provided an enriched assessment. Without these details, we cannot describe a precise exploitation flow. What we can say is that the vulnerability fits a well understood pattern: AI systems that fail to properly distinguish between data and instructions at prompt boundaries are susceptible to having their retrieval capabilities turned against the organizations they serve.
Affected Systems and Versions
The vulnerability affects Microsoft 365 Copilot Business Chat, which is a cloud hosted service. Microsoft has not published specific version numbers or build identifiers, as the service is centrally managed and updated on the server side. All organizations using Copilot Business Chat prior to the vendor applied fix were potentially affected.
Vendor Security History
CVE-2026-26129 is the third information disclosure vulnerability disclosed in Microsoft 365 Copilot in 2026 alone:
| CVE ID | Publication Date | Weakness Type |
|---|---|---|
| CVE-2026-24307 | January 23, 2026 | Improper input validation causing information disclosure |
| CVE-2026-26133 | March 20, 2026 | AI command injection flaw |
| CVE-2026-26129 | May 7, 2026 | Improper neutralization of special elements |
This pattern suggests that securing prompt boundaries and neutralizing malicious inputs remains a systemic challenge for large language model integrations, even for a vendor with Microsoft's security resources. The Microsoft Security Response Center has demonstrated consistent rapid response, deploying server side fixes before public disclosure in each case. However, the frequency of these disclosures warrants attention from security teams evaluating the risk posture of AI tools in their environments.
References
- Microsoft Security Update Guide: CVE-2026-26129
- NVD Entry: CVE-2026-26129
- CVE Record: CVE-2026-26129
- MITRE CVE API: CVE-2026-26129
- WindowsForum Analysis: Critical Info Leak Fixed in Microsoft 365 Copilot Business Chat
- SentinelOne: CVE-2026-24307 M365 Copilot Information Disclosure Flaw
- SentinelOne: CVE-2026-26133 M365 Copilot Information Disclosure Flaw
- Microsoft Blog: Microsoft 365 Copilot, Human Agency, and the Opportunity for Every Organization



