CVE-2026-24307
M365 Copilot Information Disclosure Vulnerability
In short
Microsoft 365 Copilot fails to properly validate certain user inputs, allowing attackers to access sensitive information through the network without authorization. This vulnerability can expose confidential data that should be protected.
Technical detail
The vulnerability involves insufficient input validation in M365 Copilot's input handling mechanisms, enabling an unauthenticated network-based attacker to extract sensitive information through crafted requests. The improper validation of a specified input type allows bypass of access controls, resulting in unauthorized information disclosure with no user interaction required.
Summary generated and translated by AI from the official description.
Improper validation of specified type of input in M365 Copilot allows an unauthorized attacker to disclose information over a network.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N/E:U/RL:O/RC:C
Affected products
Microsoft · Microsoft 365 CopilotWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →