Home

Description

Improper access control in M365 Copilot allows an authorized attacker to perform spoofing locally.

PUBLISHED Reserved 2026-04-16 | Published 2026-05-12 | Updated 2026-06-19 | Assigner microsoft




MEDIUM: 4.4CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C

Problem types

CWE-284: Improper Access Control

Product status

1.0 (custom) before 16.0.19822.20190
affected

16.0.0.0 (custom) before 16.0.19822.20190
affected

1.0.0 (custom) before 16.0.19822.20190
affected

16.0.1 (custom) before 16.0.19822.20190
affected

16.0.0.0 (custom) before 16.0.19822.20190
affected

16.0.0.0 (custom) before 16.0.19822.20190
affected

References

msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41100 (Microsoft 365 Copilot for Android Spoofing Vulnerability) vendor-advisory patch

cve.org (CVE-2026-41100)

nvd.nist.gov (CVE-2026-41100)

Download JSON