Injection keeps leaking Copilot: two new June 2026 disclosure CVEs
June 9, 2026 Patch Tuesday shipped CVE-2026-42824 and CVE-2026-47644 — two injection-class information-disclosure flaws in Microsoft's Copilot surface, continuing the exfiltration lineage that started with EchoLeak.
What is this?
Microsoft’s June 9, 2026 Patch Tuesday — a record release of 206 CVEs, 32 of them critical, per Cisco Talos — contained a small but telling cluster on the Copilot surface. Three entries share the same root weakness class: improper neutralization of special elements (injection). One, CVE-2026-45497, is the command-injection-to-RCE flaw we covered separately. The other two are the subject here:
- CVE-2026-42824 — command injection in Microsoft 365 Copilot that “allows an unauthorized attacker to disclose information over a network.”
- CVE-2026-47644 — improper neutralization of special elements in output used by a downstream component (injection) in Copilot Chat (Microsoft Edge), again enabling network information disclosure.
Both were disclosed on June 4, 2026 and, per MSRC, are already remediated server-side with no customer action required. Microsoft, as is standard for its cloud advisories, publishes the CWE class, impact and vector but withholds the exploitation mechanics. We do not fill that gap with invented detail.
How it works
What the advisories do tell us is the pattern, and the pattern is the story. Both flaws are injection weaknesses whose payoff is information disclosure, not code execution. That is the same shape as CVE-2025-32711 “EchoLeak” from a year earlier, and the same shape as the Copilot exfiltration chains documented across this site — see our CoPirate 365 Copilot chain and ShareLeak in Copilot Studio.
The structural reason an AI assistant keeps producing this CVE class: a Copilot request mixes trusted instructions (the system prompt, the user) with untrusted content (documents, emails, web pages, tool output) in a single context, and the model’s output is then consumed by downstream components — a browser renderer, a connector, a link unfurler, a markdown/HTML sink. If special elements in that output are not neutralized before the downstream component acts on them, attacker-controlled content retrieved during the turn can steer what gets read and where it gets sent. CWE-class “injection” is precisely the label for “untrusted data crossed a boundary it should not have.” CVE-2026-47644 naming a downstream component in Edge fits that reading exactly.
No payload is reproduced here, and none is needed to understand the lesson: in an LLM assistant, the model’s output is untrusted input to whatever runs next.
Why it matters
Three takeaways. First, information disclosure, not RCE, remains the dominant Copilot failure mode. The headline-grabbing item this month was the RCE (45497), but two of the three injection CVEs leak data — consistent with every Copilot incident since EchoLeak. If you threat-model Copilot only for code execution, you are defending the rarer case.
Second, “already mitigated, no action required” is not “nothing to do.” Server-side fixes close the specific instance Microsoft found; they do not retire the weakness class, and they give you no detection coverage for the next variant. The class has now recurred enough times to be treated as a standing risk, not a series of one-offs.
Third, the volume signal. A 206-CVE Patch Tuesday, with AI-assisted discovery widely credited for the surge, means the cadence of AI-surface advisories is rising. Copilot is now a routine line item in monthly vulnerability intelligence, and should be tracked like one.
Defenses
Microsoft owns the cloud fix; your job is the surrounding blast radius and the next variant.
- Treat model output as untrusted input downstream. Anywhere Copilot output feeds a renderer, connector, or automation, apply contextual output encoding and sink-appropriate neutralization (HTML, URL, command). This is the control whose absence the CVEs describe.
- Constrain exfiltration paths. Most Copilot data-leak chains end in an outbound request — an image fetch, a link, a connector call. Restrict and monitor egress from the assistant context; disallow auto-loading of remote content in rendered responses where you can.
- Minimize the grounding surface. Scope Copilot connectors and document access to least privilege. The less sensitive data is reachable in a single turn, the less an injection can disclose.
- Monitor for disclosure, not just execution. Alert on anomalous Copilot-originated outbound requests and unusual cross-tenant or cross-connector reads. Info-disclosure flaws are quiet by design.
- Patch and track the AI surface on the normal cadence. Add M365 Copilot, Copilot Chat and Edge to your monthly MSRC review. “No action required” advisories still belong in the inventory.
Status
| CVE | Component | Class | Impact | Disclosed | Status |
|---|---|---|---|---|---|
| CVE-2026-42824 | Microsoft 365 Copilot | Command injection | Information disclosure (network) | 2026-06-04 | Fixed server-side |
| CVE-2026-47644 | Copilot Chat (Edge) | Output injection | Information disclosure (network) | 2026-06-04 | Fixed server-side |
| CVE-2026-45497 | Microsoft 365 Copilot | Command injection | RCE (scope change) | 2026-06-04 | Fixed server-side |
| CVE-2025-32711 (EchoLeak) | Microsoft 365 Copilot | Injection | Information disclosure | 2025 | Fixed server-side |
The correct framing is not “two more Copilot bugs.” It is that injection-driven information disclosure is a structural, recurring property of LLM assistants that blend trusted and untrusted content, and that each monthly fix closes an instance, not the class. Defenders who internalize that will keep their egress monitoring and output-handling controls in place long after this month’s advisories scroll off the page.
Sources
- → https://blog.talosintelligence.com/microsoft-patch-tuesday-for-june-2026-snort-rules-and-prominent-vulnerabilities/
- → https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42824
- → https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47644
- → https://thewindowsupdate.com/2026/06/04/cve-2026-42824-m365-copilot-information-disclosure-vulnerability/
- → https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-32711