Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an unauthorized attacker to perform tampering over a network.
AnalysisAI
Command injection in Microsoft 365 Copilot for iOS allows remote unauthenticated attackers to tamper with system integrity over the network when a user is convinced to interact with malicious content. The flaw carries a critical CVSS score of 9.3 with a scope change indicating impact beyond the vulnerable component, though no public exploit identified at time of analysis. An official vendor patch is available via MSRC.
Technical ContextAI
The vulnerability is rooted in CWE-77 (Improper Neutralization of Special Elements used in a Command), meaning that untrusted input is incorporated into a command string without adequate sanitization, allowing attacker-controlled syntax to break out and execute additional commands. The affected platform is the Microsoft 365 Copilot iOS client (cpe:2.3:a:microsoft:microsoft_365_copilot_for_ios), a generative AI assistant that integrates with Microsoft 365 services and processes user prompts and tenant data. In Copilot-style products, command injection commonly arises where natural-language input, retrieved documents, or tool-invocation parameters are passed into underlying handlers without strict separation between data and command syntax, which the scope change (S:C) in the CVSS vector suggests can cross trust boundaries into other components such as connected M365 resources.
RemediationAI
Patch available per vendor advisory: update Microsoft 365 Copilot for iOS to the fixed build identified in the Microsoft Security Response Center entry at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41090 by installing the latest version from the Apple App Store and pushing the update via MDM (Intune, Jamf) to managed fleets. Until updates are confirmed deployed, compensating controls include restricting the Copilot iOS app to managed devices only through Conditional Access, disabling or limiting Copilot connectors and plug-ins that ingest external/untrusted content (which reduces injection surface but degrades retrieval-augmented features), and instructing users to avoid interacting with Copilot prompts that originate from untrusted documents, shared chats, or external email content. Each of these workarounds carries a usability trade-off - reduced connector breadth and stricter device posture lower the value of Copilot for end users - and they should be treated as bridging measures rather than substitutes for the vendor patch.
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31512
GHSA-xw72-m37w-hm4p