Skip to main content

Microsoft CVE-2026-26137

| EUVDEUVD-2026-13184 CRITICAL
Server-Side Request Forgery (SSRF) (CWE-918)
2026-03-19 secure@microsoft.com
9.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Mar 19, 2026 - 21:30 euvd
EUVD-2026-13184
Analysis Generated
Mar 19, 2026 - 21:30 vuln.today
CVE Published
Mar 19, 2026 - 21:17 nvd
CRITICAL 9.9

DescriptionCVE.org

Server-side request forgery (ssrf) in Microsoft 365 Copilot's Business Chat allows an authorized attacker to elevate privileges over a network.

AnalysisAI

Microsoft 365 Copilot's Business Chat contains a server-side request forgery vulnerability that allows authenticated users to escalate privileges across network boundaries. An attacker with valid credentials can exploit this flaw to access or manipulate resources beyond their intended authorization level. No patch is currently available, making this a significant risk for organizations using the affected service.

Technical ContextAI

This vulnerability is classified as CWE-918 (Server-Side Request Forgery), which occurs when a web application fetches remote resources without validating user-supplied URLs, allowing attackers to make the server perform requests to arbitrary destinations. In Microsoft 365 Copilot's Business Chat context, this likely involves the AI assistant making API calls or fetching resources based on user input without proper validation. The SSRF vulnerability in this cloud-based collaboration tool could allow attackers to probe internal networks, access metadata services, or interact with other Microsoft 365 services using the server's privileges rather than their own limited permissions.

RemediationAI

Microsoft has published security guidance for CVE-2026-26137 available at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26137, which should be consulted for specific patching instructions. As this affects a cloud service, Microsoft will likely deploy fixes automatically to their infrastructure, but administrators should verify their tenant configurations and review any custom integrations with Business Chat. Until confirmation of patch deployment, organizations should monitor Business Chat usage for suspicious activity, restrict access to sensitive resources that Copilot can access, and implement additional authentication requirements for critical operations where possible.

Share

CVE-2026-26137 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy