Three Copilot CVEs Land in One Patch Tuesday (CVE-2026-26129, CVE-2026-26164, CVE-2026-33111)

Key Takeaways

• Microsoft published advisories for three critical Copilot CVEs on May 7, 2026.
• All three are rated Critical severity in the Information Disclosure impact category.
• Affected products include Microsoft 365 Copilot and Copilot Chat in Microsoft Edge.
• Microsoft has fully mitigated all three flaws server-side; no customer action is required for the cloud surface.
• The disclosures continue an established pattern of cross-tenant data leakage through Copilot prompt paths.

Summary

Microsoft disclosed and fully remediated three critical information-disclosure vulnerabilities affecting Microsoft 365 Copilot and Copilot Chat in Microsoft Edge, as CybersecurityNews summarized. The Microsoft Security Response Center published advisories for CVE-2026-26129, CVE-2026-26164, and CVE-2026-33111 on the same day, and Microsoft addressed all three on the service side without requiring customer action.

What We Know

The May 7, 2026 advisories cover three distinct Critical-severity flaws under the Information Disclosure impact category. Each one sits on the Copilot prompt path that aggregates and processes mail, files, and Teams content across the tenant.

Per the MSRC advisory for CVE-2026-26129, the weakness involves how Copilot handles special elements and injected commands in the rendering pipeline, allowing crafted input to disclose data that should have remained scoped to the originating user or tenant. The companion advisories for CVE-2026-26164 and CVE-2026-33111 describe related paths on the Edge-hosted Copilot Chat surface.

Microsoft confirmed that all three flaws have been mitigated in the service. The May 2026 disclosures continue a year-long pattern in which Copilot prompt-injection and rendering vulnerabilities have repeatedly leaked sensitive content across trust boundaries.

What Happened

The Copilot prompt path is a complex composition of grounding data from SharePoint, OneDrive, Outlook, and Teams, plus model output that is then rendered into HTML and Markdown surfaces inside Office and Edge. Each of these three CVEs sits at a different stage of that pipeline where unsanitized special elements or injected commands changed how Copilot resolved or rendered context.

The technical effect is information disclosure, meaning content that one user or tenant should not have been able to see was returned to them through Copilot. Microsoft has not published detailed proof-of-concept code for the May advisories, in keeping with its practice for actively-mitigated cloud surfaces.

The AI-specific failure pattern is the same one behind the earlier Reprompt and Copirate 365 incidents: model-driven aggregation of broad enterprise data creates new data flows the original access control system never anticipated, and any weakness in the prompt rendering pipeline becomes a tenant-wide data flow rather than a single page exploit.

Why It Matters

Microsoft 365 Copilot is deployed at scale across regulated and global enterprises, and its access to email, SharePoint sites, OneDrive content, and Teams conversations makes it one of the most data-rich surfaces in the modern enterprise. Three concurrent Critical CVEs at this layer underline that the Copilot prompt path remains a high-priority target.

Affected data, where exploited, would include intellectual property in shared documents, confidential communications, HR and finance records held in connected stores, and restricted SharePoint sites. The cross-tenant variant of these classes of issue is the most consequential, since one tenant can in principle pull content from another.

On the regulatory side, the EU AI Act and NIST AI RMF both treat prompt-injection-driven information disclosure as a material AI safety risk for high-risk and general-purpose AI deployments. Boards should expect Copilot vulnerability cadence to mirror the rest of the Office surface.

PointGuard AI Perspective

PointGuard AI Discovery surfaces every Copilot integration in scope across Microsoft 365 tenants, Edge deployments, and connected data sources, so security and compliance teams have a complete map of where Copilot can reach and what it is permitted to retrieve. That inventory is the precondition for managing tenant-spanning prompt-injection risk.

PointGuard AI Data Protection applies data classification and access policy at the Copilot prompt path, so even when an injection path leaks across users it cannot move sensitive content beyond the intended scope. AI Runtime Guardrails inspect Copilot output for prompt-injection markers and unauthorized data exfiltration patterns before that content reaches a user.

The forward-looking takeaway is that enterprise Copilot platforms behave as a new shared data surface, and they need their own dedicated layer of inspection, classification, and runtime control alongside Microsoft's service-side fixes. Continuous monitoring of the Copilot prompt path, combined with policy that follows the data rather than the application, is how organizations keep pace with the next wave of disclosures.

Incident Scorecard

Total AISSI Score: 7.0/10

Criticality: 9/10. M365 Copilot has access to highly sensitive mail, files, and Teams content across the enterprise. AISSI weighting: 25%.

Propagation: 8/10. Pattern repeats across multiple Copilot surfaces and affects the broad tenant population. AISSI weighting: 20%.

Exploitability: 4/10. No public POC; Microsoft mitigated server-side; theoretical class is well established. AISSI weighting: 15%.

Supply Chain: 7/10. Heavy reliance on a single hosted vendor stack with limited customer visibility. AISSI weighting: 15%.

Business Impact: 6/10. Credible enterprise exposure; no confirmed material breach disclosed yet. AISSI weighting: 25%.

Sources

• CybersecurityNews: Critical Microsoft 365 Copilot vulnerabilities expose sensitive information
• MSRC advisory for CVE-2026-26129
• MSRC advisory for CVE-2026-33111