Critical Microsoft 365 Copilot Vulnerabilities Expose sensitive Information

Microsoft has disclosed and fully remediated three critical information disclosure vulnerabilities affecting Microsoft 365 Copilot and Copilot Chat in Microsoft Edge, all released on May 7, 2026, requiring no action from end users or administrators.

Microsoft’s Security Response Center published advisories for CVE-2026-26129, CVE-2026-26164, and CVE-2026-33111 as part of its ongoing commitment to transparency in its cloud services.

All three vulnerabilities carry a Critical severity rating and fall under the Information Disclosure impact category.

Microsoft has already fully mitigated all three flaws on its end, consistent with its cloud CVE transparency initiative outlined in the “Toward Greater Transparency: Unveiling Cloud Service CVEs” program.

Microsoft 365 Copilot Vulnerabilities

CVE-2026-26129 affects Microsoft 365 Copilot’s Business Chat. The vulnerability stems from improper neutralization of special elements in output used by a downstream…