Skip to main content

Microsoft 365 Copilot EUVDEUVD-2026-41445

| CVE-2026-41106 CRITICAL
URL Redirection to Untrusted Site (Open Redirect) (CWE-601)
2026-07-02 microsoft GHSA-6xf4-794h-3f7w
9.3
CVSS 3.1 · NVD
Temporal: 8.1
Share

Severity by source

Vendor (microsoft) PRIMARY
CRITICAL
qualitative
NVD
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
CIRCL (temporal)
8.1 HIGH
cvss
vuln.today AI
9.3 CRITICAL

Network-delivered open redirect needs no attacker auth (PR:N) but requires the victim to click (UI:R); token leakage across trust boundary yields S:C with C:H/I:H and no availability impact (A:N).

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (microsoft).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 02, 2026 - 22:51 vuln.today
CVE Published
Jul 02, 2026 - 22:18 cve.org
CRITICAL 9.3

DescriptionNVD

Url redirection to untrusted site ('open redirect') in M365 Copilot allows an unauthorized attacker to elevate privileges over a network.

AnalysisAI

Privilege elevation in Microsoft 365 Copilot arises from an open redirect (CWE-601) that lets an unauthenticated remote attacker craft a Copilot-hosted URL that forwards a victim to an attacker-controlled site. Per the CVSS vector this requires the victim to interact (UI:R) with the malicious link and results in a scope change with high confidentiality and integrity impact, consistent with token/credential capture enabling elevated access. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious Copilot redirect URL
Delivery
Deliver link via email/Teams/share
Exploit
Victim clicks trusted Microsoft link
Execution
Redirect to attacker-controlled site
Persist
Capture tokens/credentials
Impact
Elevate privileges over network

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to induce a victim to click a specially crafted Microsoft 365 Copilot URL that abuses the vulnerable open-redirect parameter - the CVSS UI:R metric means user interaction is mandatory, which is the primary limiting factor. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mostly aligned toward a genuine but interaction-gated risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a link to a legitimate Microsoft 365 Copilot endpoint that embeds an attacker-controlled redirect target, then delivers it to a target user via email, Teams, or a shared document. The victim, trusting the Microsoft-branded URL, clicks it (UI:R) and is silently forwarded to an attacker-controlled site that harvests authorization tokens or credentials, giving the attacker elevated access. …
Remediation Patch available per vendor advisory - as a Microsoft-operated cloud service, the fix is applied server-side by Microsoft, so no customer-side upgrade action is generally required; confirm your tenant is current and consult the MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41106 for any tenant-specific guidance. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Microsoft 365 Copilot instances and user populations; confirm patch availability from Microsoft security advisories; notify stakeholders of the threat and patch timeline. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2017-1000117 HIGH POC
8.8 Oct 05

A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca

CVE-2024-52875 HIGH POC
8.8 Jan 31

GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of

CVE-2016-5385 HIGH POC
8.1 Jul 19

PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect

CVE-2013-2248 MEDIUM POC
5.8 Jul 20

Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to

CVE-2012-6499 MEDIUM POC
5.8 Jan 12

Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows

CVE-2015-2863 MEDIUM POC
4.3 Jul 20

Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b

CVE-2017-3528 MEDIUM POC
5.4 Apr 24

Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li

CVE-2012-0518 MEDIUM
4.7 Oct 16

Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3

CVE-2024-21641 MEDIUM POC
6.5 Jan 05

Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp

CVE-2015-5354 MEDIUM POC
5.8 Jul 01

Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites

CVE-2015-5461 MEDIUM POC
6.4 Jul 08

Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for

CVE-2024-22891 CRITICAL POC
9.8 Mar 01

Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit

Share

EUVD-2026-41445 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy