CVE-2026-42824
published 2026-06-04CVE-2026-42824: Missing authentication for critical function in M365 Copilot allows an unauthorized attacker to disclose information over a network.
PriorityP260high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
7.64%
93.8th percentile
Missing authentication for critical function in M365 Copilot allows an unauthorized attacker to disclose information over a network.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | microsoft_365_copilot | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Alert on outbound HTTP requests from browser sessions on m365.cloud.microsoft to Bing's 'Search by Image' endpoint that carry unusual path segments resembling encoded user data (e.g., OTP codes, email subjects). ↗
- →Hunt for crafted microsoft.com links distributed via phishing that target Copilot Enterprise Search with prompt-injection payloads in the q parameter — these links will appear legitimate due to the trusted microsoft.com domain. ↗
- →Watch for the HTML rendering race condition indicator: an <img> tag injected via the q parameter that fires an outbound request during Copilot response streaming, before sanitization completes. ↗
- ·The vulnerability was mitigated server-side by Microsoft on the backend; tenant admins cannot patch or reconfigure the affected components themselves, and no customer action is required. ↗
- ·Reducing the scope of data Copilot indexes (SharePoint, OneDrive, email) limits the blast radius of any future similar vulnerability by shrinking what can be exfiltrated. ↗
- ·This was a proof-of-concept attack chain; no observed in-the-wild exploitation was reported at time of disclosure. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Microsoft 365 Copilot command injection (EUVD-2026-34334)
vuldb·2026-06-07·CVSS 6.5
CVE-2026-42824 [MEDIUM] Microsoft 365 Copilot command injection (EUVD-2026-34334)
A vulnerability, which was classified as critical, has been found in Microsoft 365 Copilot. The impacted element is an unknown function. Performing a manipulation results in command injection.
This vulnerability is cataloged as CVE-2026-42824. It is possible to initiate the attack remotely. There is no exploit available.
This product is a managed service. This means that users are not able to maintain vulnerability countermeasures themselves.
GHSA
Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network.
ghsa_unreviewed·2026-06-05
CVE-2026-42824 [MEDIUM] CWE-77 Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network.
Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network.
No detection rules found.
No public exploits indexed.
Checkpoint
22nd June – Threat Intelligence Report
blogs_checkpoint·2026-06-22
CVE-2026-42824 22nd June – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 22nd June – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 22nd June, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
Texas Parks and Wildlife Department has been affected by a third-party data breach involving its license system vendor. The incident exposed driver’s license information, passport numbers, emails, phone numbers, and residential addresses for 3,087,721 hunting and fishing license customers. Social Security numbers and payment dat
Hackernews
One-Click Microsoft 365 Copilot Flaw Could Have Let Attackers Steal Emails, Files, and MFA Codes
blogs_hackernews·2026-06-15·CVSS 7.5
CVE-2026-42824 [HIGH] One-Click Microsoft 365 Copilot Flaw Could Have Let Attackers Steal Emails, Files, and MFA Codes
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## One-Click Microsoft 365 Copilot Flaw Could Have Let Attackers Steal Emails, Files, and MFA Codes
A single click on a trusted Microsoft link could have let an attacker pull emails, calendar details, and indexed files out of Microsoft 365 Copilot Enterprise Search.
Researchers at Varonis Threat Labs chained three bugs into a one-click exfiltration path they call SearchLeak . Because the link pointed to a real microsoft.com domain, traditional anti-phishing and URL filtering tools were unlikely to flag it.
No prompt, no password, no second click. Microsoft assigned CVE-2026-42824 and marked it critical; the CVSS scores ran low
Bleepingcomputer
New attack turned Microsoft 365 Copilot into 1-click data theft tool
blogs_bleepingcomputer·2026-06-15
CVE-2026-42824 New attack turned Microsoft 365 Copilot into 1-click data theft tool
## New attack turned Microsoft 365 Copilot into 1-click data theft tool
## Bill Toulas
## Three-stage attack chain
Researchers at the enterprise data security company Varonis developed SearchLeak by chaining three flaws that, individually, are insufficient to enable a meaningful attack.
They combined a parameter-to-prompt injection, an HTML rendering race condition, and a content-security-policy (CSP) bypass enabled by Bing server-side request forgery (SSRF).
In the first stage, the attack exploits a parameter-to-prompt (P2P) injection weakness by leveraging how Microsoft 365 Copilot Search accepts the ‘q’ URL parameter for search queries.
Unlike regular Copilot, which generates content, Microsoft Copilot Enterprise Search looks for company data in emails, meetings, SharePoint files,
Talos
Microsoft Patch Tuesday for June 2026 — Snort rules and prominent vulnerabilities
blogs_talos·2026-06-09·CVSS 8.8
CVE-2026-42985 [HIGH] Microsoft Patch Tuesday for June 2026 — Snort rules and prominent vulnerabilities
## Microsoft Patch Tuesday for June 2026 — Snort rules and prominent vulnerabilities
Microsoft has released its monthly security update for June 2026, which includes 206 vulnerabilities affecting a range of products, including 32 that Microsoft marked as “critical”.
Out of 32 "critical" entries, 28 are remote code execution (RCE) vulnerabilities in Microsoft Windows services and applications including Windows Active Directory, Windows Kerberos Key Distribution Centre (KDC), Windows Graphics component, Windows Remote Desktop client, Windows Deployment Services (WDS), DHCP Client service, Windows Hyper-V, Windows Kernel and Media, Azure Kubernetes Service (AKS), Microsoft Office, Microsoft Outlook, Microsoft Word, Microsoft SQL server and Windows HTTP Protocol Stack.
Talos highlights 4 cr
Sans Isc
Microsoft June 2026 Patch Tuesday, (Tue, Jun 9th)
blogs_sans_isc·2026-06-09·CVSS 8.8
CVE-2026-49160 [HIGH] Microsoft June 2026 Patch Tuesday, (Tue, Jun 9th)
Microsoft June 2026 Patch Tuesday
Published: 2026-06-09. Last Updated: 2026-06-09 17:34:29 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
Microsoft today released patches for 204 vulnerabilities. 38 of these vulnerabilities are considered critical, and three have been disclosed before today. Six of the vulnerabilities affect Microsoft cloud solutions and do not require any user action. In addition, Microsoft incorporated 360 different vulnerabilities affecting Chromium into its Edge browser.
This is certainly a busier-than-usual patch Tuesday. In particular, the large number of patched Chromium/Edge vulnerabilities underscores the impact of AI tools on vulnerability discovery.
Some noteworthy vulnerabilities:
CVE-2026-49160: This vulnerability was made public a week ago. As implem
Crowdstrike
June 2026 Patch Tuesday: Microsoft Patches 206 Vulnerabilities Including Three Publicly Disclosed Zero-Days
blogs_crowdstrike
CVE-2026-45586 June 2026 Patch Tuesday: Microsoft Patches 206 Vulnerabilities Including Three Publicly Disclosed Zero-Days
CrowdStrike 2026 Technology Threat Landscape Report: China’s Ambitions Fuel Attacks Jun 09, 2026
June 2026 Patch Tuesday: Microsoft Patches 206 Vulnerabilities Including Three Publicly Disclosed Zero-Days Jun 09, 2026
CrowdStrike and Zscaler Bring Continuous Identity to Zero Trust Access Jun 08, 2026
3 Principles to Safely Scale Agentic AI Jun 05, 2026
CrowdStrike 2026 Technology Threat Landscape Report: China’s Ambitions Fuel Attacks Jun 09, 2026
June 2026 Patch Tuesday: Microsoft Patches 206 Vulnerabilities Including Three Publicly Disclosed Zero-Days Jun 09, 2026
CrowdStrike and Zscaler Bring Continuous Identity to Zero Trust Access Jun 08, 2026
3 Principles to Safely Scale Agentic AI Jun 05, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Hel
2026-06-04
Published