ZeroPath at Black Hat USA 2026

M365 Copilot Business Chat Information Disclosure (CVE-2026-26164): Brief Summary of an Injection Flaw in Microsoft's AI Assistant

A brief summary of CVE-2026-26164, a high severity injection vulnerability in Microsoft 365 Copilot Business Chat that could have allowed unauthenticated attackers to disclose sensitive information over a network. Microsoft has already fully mitigated this cloud service vulnerability.

CVE Analysis

6 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-07

M365 Copilot Business Chat Information Disclosure (CVE-2026-26164): Brief Summary of an Injection Flaw in Microsoft's AI Assistant
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

An injection flaw in Microsoft 365 Copilot Business Chat could have allowed an unauthenticated attacker to silently extract sensitive information over the network, with no user interaction required. With Copilot now deployed across 20 million paid seats in the M365 commercial ecosystem, even a fully mitigated cloud vulnerability like this one deserves structured awareness and a clear operational response from security teams.

Technical Information

The root cause of CVE-2026-26164 is classified under CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component. In the context of Microsoft 365 Copilot Business Chat, specially crafted input could influence the output consumed by a downstream component in a way that was not intended, ultimately leading to information disclosure.

CVSS Breakdown

The CVSS 3.1 base score of 7.5 reflects a high severity issue with the following characteristics:

MetricValueOperational Implication
Base Score7.5High severity issue requiring attention
Temporal Score6.5Score reduced due to official vendor fix
Attack VectorNetworkExploitable remotely over the network
Privileges RequiredNoneUnauthenticated exploitation possible
User InteractionNoneNo user action needed to trigger
ConfidentialityHighSignificant risk of data exposure
IntegrityNoneNo ability to modify data
AvailabilityNoneNo ability to disrupt service

The combination of network attack vector, no privileges required, and no user interaction creates a broad attack surface. Any network accessible endpoint serving Copilot Business Chat functionality was potentially reachable prior to the mitigation.

Attack Flow

Based on the vulnerability characteristics, the exploitation path would proceed as follows:

  1. An unauthorized attacker, operating remotely over the network, crafts input containing special elements targeting the Copilot Business Chat service.
  2. The Copilot Business Chat service fails to properly neutralize these special elements in its output.
  3. A downstream component processes this tainted output, and the injected elements alter its behavior.
  4. The downstream component discloses information back to the attacker.

Because no authentication or user interaction was required, the barrier to exploitation was low. The high confidentiality impact with no integrity or availability impact indicates this was a pure data exfiltration vector: the attacker could read data but could not modify it or disrupt service.

Scope of Affected Components

The specific affected product is Microsoft 365 Copilot Business Chat. Other Microsoft 365 services are not explicitly called out in the vulnerability record. This clarity in scope allows security teams to target their communications and risk tracking specifically to Business Chat owners and Copilot program leads rather than the broader user base.

Affected Systems and Versions

The vulnerability affects Microsoft 365 Copilot Business Chat. Microsoft has not published specific version numbers or version ranges, as this is a cloud service vulnerability that was mitigated on the server side. All instances of the service were affected prior to the mitigation applied by Microsoft, and all instances are now remediated. No other Microsoft 365 services are explicitly identified as affected.

Vendor Security History

CVE-2026-26164 is not an isolated finding in the M365 Copilot product line. CVE-2026-24299 describes a separate command injection vulnerability in M365 Copilot, underscoring that injection weaknesses are a recurring theme in AI integrated services. This pattern suggests that the attack surface introduced by large language model integrations, particularly around prompt and content injection, represents a systemic risk category that Microsoft and other vendors will continue to address as these products mature.

Microsoft's approach of publishing cloud vulnerability advisories even when no customer action is required reflects a transparency posture that is relatively uncommon among cloud service providers. Organizations should expect more advisories of this type and tune their internal processes accordingly.

Copilot Adoption Context

The scale of Copilot deployment adds context to the potential impact:

MetricQ2 2026Q3 2026
Paid Copilot Seats15 million20 million
Total M365 Commercial Seats450 millionUp to 477 million estimated
Penetration Rate3.3 percent4.2 to 4.4 percent

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization