CVE-2026-45497: command injection turns Microsoft 365 Copilot into an RCE path
On June 4 2026 MSRC disclosed CVE-2026-45497, a command-injection flaw in Microsoft 365 Copilot rated as remote code execution with a scope change across the service boundary. Fixed server-side.
What is this?
On June 4, 2026, Microsoft’s Security Response Center published CVE-2026-45497, a vulnerability in Microsoft 365 Copilot that MSRC classifies as improper neutralization of special elements used in a command — classic command injection — leading to remote code execution. The advisory carries a changed-scope marker, meaning the flaw let an attacker reach beyond the Copilot service container into other Microsoft 365 components. Microsoft says the issue was already remediated inside its cloud and that no customer action is required. The same batch included two information-disclosure entries, CVE-2026-47644 (Copilot Chat in Microsoft Edge) and CVE-2026-42824 (Microsoft 365 Copilot).
This matters because it is the first time a mainstream AI assistant’s advisory describes an RCE with a container-crossing scope change, not “just” the data-exfiltration class that has dominated Copilot findings since CVE-2025-32711 “EchoLeak” a year earlier.
How it works
No exploit is public, and none is reproduced here. What MSRC’s classification tells us is the shape of the bug: somewhere in Copilot’s tool/skill execution path, attacker-influenced text reached a component that builds and runs a command, without sufficient sanitization.
For an AI assistant, the realistic entry point for that text is prompt injection. Copilot ingests untrusted content by design — emails, shared documents, calendar invites, web pages pulled into context. If any of that content can steer the model into invoking a backend tool whose arguments are concatenated into a shell or interpreter call, the natural-language front door becomes a command-injection front door:
Untrusted content (email / doc / page)
| retrieved into Copilot context
v
Injected instruction -> model calls a backend tool
| tool arg concatenated into a command
v
Command injection -> code execution in the service
| S:C (scope change)
v
Reach into adjacent M365 componentsThe “scope change” is the part defenders should sit with: it means the blast radius was not contained to the request that triggered it.
Why it matters
Copilot is embedded across Word, Excel, Outlook, Teams and SharePoint for a very large enterprise install base. A command-execution bug in that service is not a single-tenant problem; the changed scope says the boundary that was supposed to keep one request — and potentially one tenant’s context — away from the rest of the platform did not hold.
The broader lesson is architectural. The industry spent the past year treating Copilot-class risk as information disclosure (EchoLeak, Copilot Studio prompt injection). CVE-2026-45497 says the same untrusted-input problem can land further down the stack, at code execution, whenever an agent is allowed to turn model output into a command. The OWASP “lethal trifecta” — untrusted input, sensitive access, and an outbound or execution capability — is exactly this combination.
Defenses
Microsoft fixed the service side, so there is no patch to install. The work is to make sure your own agents and any custom Copilot extensions don’t recreate the pattern.
- Never concatenate model output into a command. Pass tool arguments through structured, parameterized APIs; avoid shell,
eval, or string-built interpreter calls. If a tool must run a command, use an allowlist of fixed argument vectors. - Treat all retrieved content as untrusted. Documents, emails and web pages pulled into context are attacker-controllable. Apply the same input-handling discipline you would to a web form.
- Constrain the trifecta. Don’t give one agent untrusted input, privileged tools, and an execution or exfiltration path at the same time. Split capabilities, or gate command-executing tools behind human confirmation.
- Sandbox and scope tool execution. Run command-capable tools in a least-privilege, isolated context so a successful injection cannot change scope into adjacent systems.
- Audit custom plugins and connectors now. Even though the core service is fixed, the same class of bug lives in homegrown Copilot extensions. Review them for any place model text reaches a command builder, and rotate credentials those plugins hold.
- Log tool invocations, not just chat. Detection for this class means watching which backend tools the model called with which arguments — chat transcripts alone won’t show a command-injection attempt.
Status
| Item | Reference | Date | Notes |
|---|---|---|---|
| CVE-2026-45497 (M365 Copilot) | MSRC | 2026-06-04 | Command injection -> RCE, scope changed; fixed server-side, no customer action |
| CVE-2026-47644 (Copilot Chat, Edge) | MSRC | 2026-06-04 | Information disclosure |
| CVE-2026-42824 (M365 Copilot) | MSRC | 2026-06-04 | Information disclosure |
| CVE-2025-32711 “EchoLeak” | MSRC | 2025-06 | Prior zero-click M365 Copilot data-exfil, for context |
Public sources disagree on the exact CVSS figure for CVE-2026-45497, so we omit a single number; MSRC’s own advisory is the authoritative reference. The takeaway holds regardless of the score: an AI assistant that can turn untrusted text into a command is an RCE surface, and the defensive job is to keep model output away from command builders.
Sources
- → https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45497
- → https://vulnerability.circl.lu/vuln/msrc_cve-2026-45497
- → https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47644
- → https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42824
- → https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-32711