cbcvebase.
CVE-2026-42824
published 2026-06-04

CVE-2026-42824: Missing authentication for critical function in M365 Copilot allows an unauthorized attacker to disclose information over a network.

PriorityP260high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
7.64%
93.8th percentile
Missing authentication for critical function in M365 Copilot allows an unauthorized attacker to disclose information over a network.

Affected

1 ranges
VendorProductVersion rangeFixed in
microsoftmicrosoft_365_copilot

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://m365.cloud.microsoft/search?q=<injected_prompt>
path/Your_Security_Code_847291/img.png
domain*.bing.com
  • Alert on outbound HTTP requests from browser sessions on m365.cloud.microsoft to Bing's 'Search by Image' endpoint that carry unusual path segments resembling encoded user data (e.g., OTP codes, email subjects).
  • Hunt for crafted microsoft.com links distributed via phishing that target Copilot Enterprise Search with prompt-injection payloads in the q parameter — these links will appear legitimate due to the trusted microsoft.com domain.
  • Watch for the HTML rendering race condition indicator: an <img> tag injected via the q parameter that fires an outbound request during Copilot response streaming, before sanitization completes.
  • ·The vulnerability was mitigated server-side by Microsoft on the backend; tenant admins cannot patch or reconfigure the affected components themselves, and no customer action is required.
  • ·Reducing the scope of data Copilot indexes (SharePoint, OneDrive, email) limits the blast radius of any future similar vulnerability by shrinking what can be exfiltrated.
  • ·This was a proof-of-concept attack chain; no observed in-the-wild exploitation was reported at time of disclosure.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.