🟠 High  |  Source: Microsoft Security Response Center


A vulnerability in Microsoft 365 Copilot allows an attacker to perform an open redirect, sending users to a malicious external site without authentication. This can be exploited over a network to elevate privileges, potentially granting unauthorised access to sensitive resources. The flaw is particularly concerning given Copilot’s deep integration with Microsoft 365 data and services.

Security Architect’s Take: Review conditional access policies and ensure Copilot access is restricted to trusted, managed devices and identities. Monitor for anomalous redirect activity in M365 audit logs and consider temporarily scoping Copilot permissions until a patch is confirmed applied to your tenant.

Original advisory: CVE-2026-41106 Microsoft 365 Copilot Elevation of Privilege Vulnerability