Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
Lifecycle Timeline
3DescriptionCVE.org
Server-side request forgery (ssrf) in Microsoft 365 Copilot's Business Chat allows an authorized attacker to elevate privileges over a network.
AnalysisAI
Microsoft 365 Copilot's Business Chat contains a server-side request forgery vulnerability that allows authenticated users to escalate privileges across network boundaries. An attacker with valid credentials can exploit this flaw to access or manipulate resources beyond their intended authorization level. No patch is currently available, making this a significant risk for organizations using the affected service.
Technical ContextAI
This vulnerability is classified as CWE-918 (Server-Side Request Forgery), which occurs when a web application fetches remote resources without validating user-supplied URLs, allowing attackers to make the server perform requests to arbitrary destinations. In Microsoft 365 Copilot's Business Chat context, this likely involves the AI assistant making API calls or fetching resources based on user input without proper validation. The SSRF vulnerability in this cloud-based collaboration tool could allow attackers to probe internal networks, access metadata services, or interact with other Microsoft 365 services using the server's privileges rather than their own limited permissions.
RemediationAI
Microsoft has published security guidance for CVE-2026-26137 available at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26137, which should be consulted for specific patching instructions. As this affects a cloud service, Microsoft will likely deploy fixes automatically to their infrastructure, but administrators should verify their tenant configurations and review any custom integrations with Business Chat. Until confirmation of patch deployment, organizations should monitor Business Chat usage for suspicious activity, restrict access to sensitive resources that Copilot can access, and implement additional authentication requirements for critical operations where possible.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13184