Microsoft 365 Copilot Vulnerabilities Expose Sensitive Information

Severity: High (Score: 69.2)

Sources: Cybersecuritynews, Letsdatascience

Summary

On May 7, 2026, Microsoft disclosed and remediated three critical information disclosure vulnerabilities in Microsoft 365 Copilot and Copilot Chat, tracked as CVE-2026-26129, CVE-2026-26164, and CVE-2026-33111. These vulnerabilities allowed unauthorized access to sensitive information, requiring no action from end users or administrators for remediation. The issues were identified in Microsoft Edge and highlighted risks associated with enterprise AI assistants accessing confidential emails and documents. An earlier defect, first detected on January 21, 2026, allowed Copilot to summarize confidential emails despite sensitivity labels, prompting Microsoft to implement a fix in early February. The recurring data-exposure risks in Copilot deployments raise compliance concerns for organizations using these tools. Microsoft has committed to transparency in addressing these vulnerabilities. Key Points: • Three critical vulnerabilities in Microsoft 365 Copilot were remediated on May 7, 2026. • The flaws allowed unauthorized access to sensitive information without user action needed. • An earlier defect allowed summarization of confidential emails, raising compliance risks.

Key Entities

• Data Breach (attack_type)
• Microsoft (company)
• CVE-2026-26129 (cve)
• CVE-2026-26164 (cve)
• CVE-2026-33111 (cve)
• CWE-200 - Exposure of Sensitive Information (cwe)
• Copilot Chat (platform)
• Microsoft 365 Copilot (platform)
• Microsoft Edge (platform)