logo

Critical SearchLeak Flaw in Microsoft 365 Copilot Exposed Sensitive Enterprise Data

ID: 62b3a27a-0992-5d63-b0da-e794defa6091

STIX ID: report--62b3a27a-0992-5d63-b0da-e794defa6091

Feed Name: The Cyber Express

Threat Score
80/100

Date Published: 2026-06-16

Date Updated: 2026-06-16

Author: Ashish Khaitan

...
...

Researchers at Varonis disclosed a critical Microsoft 365 Copilot Enterprise vulnerability (CVE-2026-42824, “SearchLeak”) that chained an AI-specific Parameter-to-Prompt Injection with an HTML rendering race condition and a Bing SSRF to exfiltrate emails, calendar entries, SharePoint/OneDrive documents, and other indexed enterprise content via specially crafted URLs; Microsoft has patched the issue but the case highlights how AI features can link previously known flaws into high-impact attacks.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.