Skip to main content

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

4
EUVD ID Assigned
Mar 13, 2026 - 22:01 euvd
EUVD-2026-12111
Analysis Generated
Mar 13, 2026 - 22:01 vuln.today
Patch released
Mar 13, 2026 - 22:01 nvd
Patch available
CVE Published
Mar 13, 2026 - 21:10 nvd
HIGH 7.1

DescriptionCVE.org

AI command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network.

AnalysisAI

CVE-2026-26133 is an AI command injection vulnerability in Microsoft 365 Copilot and multiple Microsoft mobile/desktop applications that allows remote attackers to disclose sensitive information through crafted AI prompts. The vulnerability affects numerous Microsoft products across iOS, Android, and macOS platforms, requires user interaction, and has a patch available from Microsoft with no current evidence of active exploitation (not in KEV).

Technical ContextAI

This vulnerability represents a new class of AI-specific security issues - command injection through AI prompts in Microsoft's Copilot integration. The affected products span Microsoft's entire mobile ecosystem including M365 Copilot, Edge, Excel, Word, PowerPoint, OneNote, Outlook, Teams, Loop, and PowerBI across Android, iOS, and macOS platforms. While no CWE is assigned, AI command injection typically involves manipulating AI system prompts to bypass intended restrictions and access unauthorized data. The vulnerability specifically targets the Copilot AI assistant functionality integrated across these applications.

RemediationAI

Microsoft has released patches for all affected products - update to the latest versions specified in the EUVD data. Primary remediation: Apply vendor patches through standard app store update mechanisms for mobile apps or Microsoft Update for desktop applications. Vendor advisory available at: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26133. As an interim mitigation, organizations could restrict Copilot functionality or implement additional monitoring for suspicious AI prompt patterns until patching is complete.

Share

CVE-2026-26133 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy