Severity by source
AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an authorized attacker to execute code over a network.
AnalysisAI
Command injection in Microsoft 365 Copilot allows an authenticated attacker with low privileges to execute arbitrary code across a scope-changing trust boundary, leading to high confidentiality impact and limited integrity and availability impact. The flaw stems from improper neutralization of special elements (CWE-77) within the Copilot service and is rated CVSS 7.7 with high attack complexity. No public exploit identified at time of analysis, and the EPSS signal is not provided in the source intelligence.
Technical ContextAI
Microsoft 365 Copilot is Microsoft's generative-AI assistant integrated across the Microsoft 365 productivity suite (Word, Excel, Outlook, Teams, and the Microsoft Graph). The CPE string cpe:2.3:a:microsoft:microsoft_365_copilot:*:*:*:*:*:*:*:* indicates the vulnerability is in the cloud-hosted Copilot service rather than a specific on-premises product version. CWE-77 (Improper Neutralization of Special Elements Used in a Command) means that input containing command metacharacters or directives is passed into a downstream interpreter or command processor without adequate sanitization, allowing the attacker to break out of the intended data context and have their input interpreted as executable commands. In an LLM-backed service this often manifests via tool-invocation or plugin layers where natural-language input is converted into structured commands.
RemediationAI
Patch available per vendor advisory - Microsoft has remediated the service-side flaw and customers should confirm their tenant is on the fixed Copilot service build via the MSRC guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45497. Because Microsoft 365 Copilot is a cloud service, the fix is largely deployed by Microsoft automatically, but administrators should verify any Copilot connectors, plugins, or Graph extensions in their tenant are also up to date. As compensating controls while validating coverage, administrators can restrict Copilot licensing to trusted user populations via Microsoft 365 admin center, disable third-party Copilot plugins under Integrated apps, and monitor Microsoft Purview audit logs for anomalous Copilot prompts or tool invocations; these reduce exposure but also reduce Copilot functionality for legitimate users.
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34335
GHSA-96wf-4fpw-9pw8