A360
Key Takeaways✦ Atlas AI
01
Three critical vulnerabilities patched.
02
No user action required for mitigation.
03
Sensitive information disclosure prevented.
Atlas AI
Micrososources disclosed and said it has fully remediated three critical information-disclosure vulnerabilities that affected Micrososources 365 Copilot and Copilot Chat embedded in Micrososources Edge. Patches and mitigations were released and completed on May 7, 2026, and Micrososources said no action was required from end users or administrators. The company published advisories through its Security Response Center as part of its cloud CVE transparency initiative.
Two of the flaws, tracked as CVE-2026-26129 and CVE-2026-26164, target Micrososources 365 Copilot’s Business Chat. Micrososources describes these issues as stemming from improper neutralization of special elements in output used by downstream components, an injection-style failure classified under CWE-74. The vendor said the attack vector is network-based, requires no privileges or user interaction, and carries a high confidentiality impact.
The third flaw, CVE-2026-33111, affects Copilot Chat when embedded in Micrososources Edge and is classified under CWE-77, an improper neutralization of special elements used in a command (command injection). Micrososources lists all three vulnerabilities under the Information Disclosure impact category and assigns each a Critical severity rating. For CVE-2026-26164 Micrososources notes the exploitability assessment as “Exploitation Less Likely” and lists exploit code maturity as unproven.
Network-based, no-interaction information-disclosure flaws can expose sensitive organizational data, raising the risk for enterprises that integrate Copilot with internal systems and grant it access to corporate information.
Such vulnerabilities can allow attackers to retrieve confidential data from cloud services without user interaction, increasing exposure for businesses that rely on Copilot integrations.
- Three CVEs disclosed and remediated: CVE-2026-26129, CVE-2026-26164, CVE-2026-33111. - Patches and mitigations were released and completed by Micrososources on May 7, 2026. - CVE-2026-26129 and CVE-2026-26164 affect Micrososources 365 Copilot Business Chat. ” - CVE-2026-33111 affects Copilot Chat embedded in Micrososources Edge and is classified under CWE-77 (command injection). - All three are classified as Critical and as Information Disclosure issues.
Enterprises should review Micrososources Security Response Center advisories for follow-up guidance and monitor Copilot and Edge logs for related anomalous activity.
