Skip to main content

Microsoft 365 Copilot CVE-2026-41090

| EUVDEUVD-2026-31512 CRITICAL
Command Injection (CWE-77)
2026-05-22 microsoft GHSA-xw72-m37w-hm4p
9.3
CVSS 3.1 · NVD
Temporal: 8.1
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
CIRCL (temporal)
8.1 HIGH
cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 22, 2026 - 22:46 vuln.today

DescriptionCVE.org

Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an unauthorized attacker to perform tampering over a network.

AnalysisAI

Command injection in Microsoft 365 Copilot for iOS allows remote unauthenticated attackers to tamper with system integrity over the network when a user is convinced to interact with malicious content. The flaw carries a critical CVSS score of 9.3 with a scope change indicating impact beyond the vulnerable component, though no public exploit identified at time of analysis. An official vendor patch is available via MSRC.

Technical ContextAI

The vulnerability is rooted in CWE-77 (Improper Neutralization of Special Elements used in a Command), meaning that untrusted input is incorporated into a command string without adequate sanitization, allowing attacker-controlled syntax to break out and execute additional commands. The affected platform is the Microsoft 365 Copilot iOS client (cpe:2.3:a:microsoft:microsoft_365_copilot_for_ios), a generative AI assistant that integrates with Microsoft 365 services and processes user prompts and tenant data. In Copilot-style products, command injection commonly arises where natural-language input, retrieved documents, or tool-invocation parameters are passed into underlying handlers without strict separation between data and command syntax, which the scope change (S:C) in the CVSS vector suggests can cross trust boundaries into other components such as connected M365 resources.

RemediationAI

Patch available per vendor advisory: update Microsoft 365 Copilot for iOS to the fixed build identified in the Microsoft Security Response Center entry at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41090 by installing the latest version from the Apple App Store and pushing the update via MDM (Intune, Jamf) to managed fleets. Until updates are confirmed deployed, compensating controls include restricting the Copilot iOS app to managed devices only through Conditional Access, disabling or limiting Copilot connectors and plug-ins that ingest external/untrusted content (which reduces injection surface but degrades retrieval-augmented features), and instructing users to avoid interacting with Copilot prompts that originate from untrusted documents, shared chats, or external email content. Each of these workarounds carries a usability trade-off - reduced connector breadth and stricter device posture lower the value of Copilot for end users - and they should be treated as bridging measures rather than substitutes for the vendor patch.

Share

CVE-2026-41090 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy