Skip to main content

Microsoft 365 Copilot EUVDEUVD-2026-44305

| CVE-2026-58617 CRITICAL
Improper Access Control (CWE-284)
2026-07-14 microsoft GHSA-fw44-xwgm-pf69
9.8
CVSS 3.1 · NVD
Temporal: 7.1
Share

Severity by source

Vendor (microsoft) PRIMARY
HIGH
qualitative
NVD
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CIRCL (temporal)
7.1 HIGH
cvss
vuln.today AI
8.8 HIGH

Network-reachable AI client tied to authenticated M365 sessions, so PR:L is more defensible than PR:N; total impact justifies C/I/A:H with unchanged scope.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (microsoft).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Jul 16, 2026 - 20:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 16, 2026 - 20:22 vuln.today
cvss_changed
Severity Changed
Jul 16, 2026 - 20:22 NVD
HIGH CRITICAL
CVSS changed
Jul 16, 2026 - 20:22 NVD
8.1 (HIGH) 9.8 (CRITICAL)
Analysis Generated
Jul 14, 2026 - 18:46 vuln.today
CVE Published
Jul 14, 2026 - 17:10 nvd
HIGH 8.1

DescriptionNVD

Improper access control in Microsoft 365 Copilot for iOS allows an unauthorized attacker to elevate privileges over a network.

AnalysisAI

Elevation of privilege in Microsoft 365 Copilot for iOS (versions 1.0 through builds prior to 2.111.4) lets a network-based attacker bypass improper access controls (CWE-284) to gain unauthorized elevated privileges. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) rates this 9.8 Critical with total confidentiality, integrity and availability impact, though SSVC records exploitation status as none and there is no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach Copilot for iOS service over network
Exploit
Send request bypassing access-control check
Execution
Escalate to unauthorized privileges
Impact
Access or modify protected M365 data

Vulnerability AssessmentAI

Exploitation The only prerequisite established by the CVSS vector is network reachability of the Microsoft 365 Copilot for iOS service, with no privileges (PR:N) and no user interaction (UI:N) required per the vendor scoring; the affected client must be running a version below 2.111.4. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are conflicting and warrant caution. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario Given the AV:N/AC:L/PR:N vector, an attacker interacts with the Copilot for iOS service or client over the network and exploits the missing access-control check to escalate privileges and read or modify data they should not be able to reach. No user interaction is required (UI:N) and no exploit code has been published, so realistic exploitation would require an attacker to independently discover the authorization flaw. …
Remediation Vendor-released patch: update Microsoft 365 Copilot for iOS to version 2.111.4 or later, which is the first fixed build per the EUVD version range and the Microsoft advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58617. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all iOS devices running Microsoft 365 Copilot and identify users on affected versions prior to 2.111.4; immediately notify them of the vulnerability. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-44305 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy