Skip to main content

365 Copilot CVE-2026-24307

CRITICAL
Improper Validation of Specified Type of Input (CWE-1287)
2026-01-22 secure@microsoft.com
Information Disclosure 365 Copilot
9.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
CVE Published
Jan 22, 2026 - 23:15 nvd
CRITICAL 9.3

DescriptionCVE.org

Improper validation of specified type of input in M365 Copilot allows an unauthorized attacker to disclose information over a network.

AnalysisAI

M365 Copilot has an input validation vulnerability allowing unauthorized attackers to extract sensitive information through crafted prompts over the network.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious input for M365 Copilot
Exploit
Bypass input validation checks
Execution
Trigger unintended information disclosure
Impact
Attacker receives sensitive data over network
Sign in to reveal

Vulnerability AssessmentAI

Exploitation M365 Copilot enabled in target environment with default input validation. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 9.3, EPSS 0.15%. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends a crafted message or document that, when processed by M365 Copilot, triggers the validation bypass and causes the AI to disclose sensitive information from the victim's mailbox, SharePoint sites, or Teams conversations.
Remediation Microsoft has released updates. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Audit M365 Copilot access logs and user activity for suspicious queries or data exfiltration patterns; escalate to incident response if compromise is suspected. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-24307 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy