Microsoft disclosed a critical information disclosure vulnerability in Microsoft 365 Copilot\u2019s Business Chat feature on May 7, 2026, assigning it CVE-2026-26129. According to the initial advisory, an unauthorized network attacker could exploit the flaw to access sensitive organizational data\u2014potentially including internal documents, financial records, or personally identifiable information\u2014without authentication. The vulnerability affects the core chat-based interface of Copilot for Microsoft 365, which connects enterprise data across the Microsoft 365 ecosystem.

Business Chat is a central component of the Copilot experience, allowing users to query data across their entire Microsoft 365 environment\u2014emails, Teams messages, SharePoint documents, and more\u2014using natural language. The severity of this bug lies in how Copilot ingests and indexes data to generate contextual responses, and the attack vector suggests that a man-in-the-middle or network-level adversary could intercept or manipulate API calls to siphon off those indexed results.

Microsoft has not yet provided full technical details, but the company classified the vulnerability as \u201cCritical\u201d under its severity rating system. This typically indicates that exploitation could occur without user interaction and might lead to a breach of confidentiality, integrity, or availability. The advisory\u2019s phrasing\u2014\u201cunauthorized network attacker\u201d\u2014hints at an attack path that does not require the victim to click a link or open a file; simply having the Business Chat interface active within a corporate network might expose the organization to risk.

Copilot for Microsoft 365 leverages Microsoft Graph to access tenant data. CVE-2026-26129 likely stems from insufficient authorization checks in the Graph API calls made by Business Chat, or from improper handling of access tokens during the chat session. A network attacker positioned between the client and Microsoft\u2019s cloud endpoints could potentially replay tokens, forge requests, or passively observe traffic if encryption is insufficiently implemented or if a downgrade attack succeeds.

The disclosure timing is notable. May 7, 2026, falls on a Thursday, suggesting this was an out-of-band security fix rather than part of the regular Patch Tuesday release cycle. Out-of-band patches are reserved for vulnerabilities that are either being actively exploited or pose an imminent risk. Microsoft\u2019s decision to release this fix outside the normal cadence underscores the urgency it attributes to CVE-2026-26129.

What is Microsoft 365 Copilot Business Chat?

To understand the breach\u2019s implications, it helps to examine the feature at risk. Business Chat in Microsoft 365 Copilot is a single, unified interface that allows users to search and synthesize information from across their Microsoft 365 apps and data. Instead of toggling between Word, Outlook, and OneDrive, a user can ask, \u201cWhat were the key discussion points from last quarter\u2019s marketing meetings?\u201d and Copilot will scan all available data\u2014meeting transcripts, email threads, shared documents\u2014to generate a concise answer.

Under the hood, Business Chat relies on Microsoft Graph, which acts as the data access layer. Copilot processes natural language queries, translates them into Graph API calls, retrieves relevant content, and feeds that into a large language model to craft a response. The entire pipeline must enforce strict access controls, ensuring users only see data they already have permission to access. CVE-2026-26129 appears to break that boundary, allowing a network attacker to circumvent those permission checks.

How the Bug Could Be Exploited

Microsoft\u2019s advisory indicates the attack vector is network-based. This likely means an attacker could intercept communications between a Copilot client and the Microsoft 365 backend. Common techniques include:

  • Man-in-the-Middle (MitM) attacks: If the attacker is on the same local network as the victim\u2014say, an unsecured Wi-Fi network or a compromised router\u2014they can intercept and inspect traffic. If Business Chat traffic is not properly encrypted or if certificate validation fails, the attacker might see plaintext queries and responses.
  • API token replay: Copilot uses OAuth 2.0 tokens to authenticate Graph API requests. A flaw in token binding or session management could allow an attacker to capture a token and reuse it to issue Graph queries on behalf of the victim, accessing data without knowing the user\u2019s credentials.
  • Request tampering: Even without breaking encryption, an attacker might be able to modify requests in transit if the integrity checks are weak. This could alter the scope of a query or force Copilot to return data from a broader set of sources.

The most alarming scenario involves full read access to indexed organizational content. Since Business Chat is often granted broad\u2014though permission-limited\u2014scope to index data across the tenant, an attacker who successfully impersonates a valid session could enumerate documents, emails, and files that the victim\u2019s account can access. For organizations storing sensitive financial records, proprietary research, or customer data, this represents a catastrophic exposure of intellectual property and regulated data.

Microsoft\u2019s Response and Patch Availability

Microsoft has not publicly disclosed the exact changes it made to address CVE-2026-26129, but in a typical out-of-band patch, the update would be delivered via a server-side configuration change or an automatic client update. Since Copilot for Microsoft 365 is primarily a cloud service, users likely do not need to install a traditional software update. Instead, Microsoft would deploy the fix directly to the Copilot backend, immediately protecting all tenants.

The security update advisory likely includes a Knowledge Base (KB) article number, which is not available in the public preview. Historically, Microsoft assigns a KB ID and publishes detailed guidance on the MSRC portal (msrc.microsoft.com). Organizations using Microsoft 365 are urged to check the Microsoft 365 Admin Center for any service health advisories related to Copilot, and verify that they have the latest version of the Microsoft 365 Apps for enterprise, if applicable.

Business Chat is deeply integrated into Microsoft Teams and the Microsoft 365 web experience. If the vulnerability involved client-side components\u2014such as the Teams desktop app or the Copilot sidebar in Edge\u2014then users might need to restart their applications or clear cached tokens to enforce the fix. Microsoft\u2019s security advisory will clarify this once it is publicly available.

Risk Assessment and CVSS Details

Microsoft has rated CVE-2026-26129 as Critical. In the MSRC classification, Critical means the vulnerability could allow remote code execution or data disclosure without user interaction. A typical CVSS v3.1 base score for a critical information disclosure vulnerability ranges from 7.1 to 9.0, depending on factors such as required privileges, user interaction, and impact on confidentiality.

Although the full CVSS vector is not yet published, we can infer likely attributes:

  • Attack Vector: Network (N) \u2013 The advisory explicitly mentions an unauthorized network attacker, so the vulnerability is reachable via the network.
  • Attack Complexity: Low (L) \u2013 No special conditions are required; the attacker simply needs to be on the network path.
  • Privileges Required: None (N) \u2013 The advisory suggests no authentication is needed.
  • User Interaction: None (N) \u2013 The victim does not need to click or open anything; the attack can be passive.
  • Scope: Unchanged (U) or Changed (C) \u2013 Depending on whether the breach is contained within the Copilot component or can affect the broader system.
  • Confidentiality Impact: High (H) \u2013 Full read access to sensitive data.
  • Integrity Impact: None (N) or Low (L) \u2013 Likely limited to information disclosure, though request tampering could alter the output.
  • Availability Impact: None (N) \u2013 No disruption to service.

With these assumptions, the base score lies around 7.5 (if scope is unchanged) or 8.6 (if scope is changed), making it a high-severity issue. Microsoft\u2019s own rating might place it at the high end of the Critical band.

Mitigations and Workarounds

Until organizations can verify the patch has been applied, several temporary mitigations can reduce risk:

  1. Restrict network access: Ensure that Copilot Business Chat is only used on secured, encrypted networks. Avoid using the service on public Wi-Fi or untrusted connections. Implementing a VPN for all remote workers can add a layer of encryption that makes man-in-the-middle attacks harder.
  2. Enforce conditional access policies: In Microsoft Entra ID (formerly Azure AD), configure conditional access to require compliant devices, multi-factor authentication, and session controls. This won\u2019t directly stop a network attack, but it can limit token replay by enforcing time-bound sessions and device-bound tokens.
  3. Monitor Copilot API logs: Use Microsoft Sentinel or third-party SIEM tools to analyze Microsoft Graph API audit logs. Look for unusual queries, out-of-hours activity, or data retrieval from unexpected locations. The Graph activity log can reveal anomalous access patterns that might indicate token abuse.
  4. Disable Business Chat temporarily: If the risk is deemed unacceptable, administrators can disable Copilot features for the entire organization via the Microsoft 365 Admin Center. Navigate to Settings > Org settings > Microsoft 365 Copilot, and toggle off Business Chat. This will restrict users to app-specific Copilot features and may disrupt productivity, but it eliminates the attack surface.
  5. Rotate user tokens: After the patch is confirmed, force a sign-out of all Microsoft 365 sessions to invalidate any captured tokens. This can be done via the Microsoft 365 admin center or PowerShell.

Long-Term Implications for Copilot Security

CVE-2026-26129 is not the first security flaw found in AI-powered assistants, but its criticality highlights the unique risks of tools that have broad access to organizational data. Copilot\u2019s value\u2014the ability to unify and contextualize information from across the Microsoft 365 suite\u2014also makes it an attractive target. A single breach can expose the equivalent of a company\u2019s entire digital footprint.

This incident will likely accelerate several trends:

  • Zero-trust architectures for AI tools: Organizations will increasingly demand that AI assistants operate under least-privilege principles, with every Graph API call dynamically authorized rather than relying on a session-wide token.
  • Enhanced auditing and AI-specific threat detection: SIEM and XDR vendors will develop detection rules tailored to Copilot activity, flagging when the AI accesses an unusually high volume of sensitive files or generates responses that include PII outside the user\u2019s normal scope.
  • Regulatory scrutiny: Data protection authorities may view AI assistants as high-risk processing systems, requiring documented security assessments and incident response plans. The European Data Protection Board (EDPB) has already indicated that AI systems with broad data access must undergo Data Protection Impact Assessments (DPIAs).

Microsoft will likely release additional hardening updates for Copilot\u2019s security architecture. The company has a dedicated AI Red Team that probes Copilot for vulnerabilities, and the public disclosure of CVE-2026-26129 suggests that external researchers or Microsoft\u2019s own testing uncovered the flaw. We may see further disclosures in subsequent Patch Tuesdays as the product matures.

What Organizations Should Do Now

  1. Check the Microsoft 365 Admin Center for any service health advisories (SMAs) or message center posts related to Copilot and security. Microsoft often communicates Cloud service fixes there before formal CVEs are published.
  2. Apply any client-side updates if you use the Copilot integration in Microsoft Teams or the Copilot sidebar in Edge. While the core fix may be server-side, client apps can also receive critical patches.
  3. Brief your security team on the nature of the vulnerability. Ensure that your incident response plan includes scenarios where an AI assistant leaks data via network attacks.
  4. Conduct a review of Copilot data controls: Use the Microsoft Purview compliance portal to audit which data sources Copilot indexes and which sensitivity labels are in place. Confirm that data classification and information barriers are configured correctly.
  5. Stay tuned to MSRC (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26129) for the full advisory, technical details, and any CVSS vector. Bookmark the page for updates.

The Bigger Picture

CVE-2026-26129 underscores a fundamental tension in modern enterprise IT: productivity versus security. AI assistants that can access everything are incredibly powerful, but they also create a single point of failure. As Copilot expands to more Microsoft 365 apps and even third-party data connectors, the attack surface will only grow. Microsoft\u2019s quick out-of-band fix is reassuring, but the existence of such a high-severity bug in a mature product raises questions about the robustness of AI data pipelines.

Moving forward, enterprises must treat AI tools as critical infrastructure. That means applying the same security rigor\u2014penetration testing, continuous monitoring, strict access control\u2014that they would to a core banking system or an ERP platform. The cost of overlooking an AI assistant\u2019s security is no longer theoretical; it can mean a wholesale breach of the organization\u2019s most guarded secrets.