SYS::ONLINE
Wasteland.
Briefs1090
Issues17
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-41106 2026-07-02

CVE-2026-41106: Critical Open Redirect in Microsoft 365 Copilot

"A critical open-redirect flaw in Microsoft 365 Copilot allows an unauthenticated, network-based attacker to elevate privileges when a user is tricked into interacting with a crafted link."

A critical open-redirect flaw in Microsoft 365 Copilot allows an unauthenticated, network-based attacker to elevate privileges when a user is tricked into interacting with a crafted link.

What Is It

CVE-2026-41106 is an open-redirect vulnerability (CWE-601) in Microsoft 365 Copilot. According to Microsoft's NVD record, the flaw stems from URL redirection to an untrusted site, which "allows an unauthorized attacker to elevate privileges over a network." Microsoft assigns it a CVSS 3.1 base score of 9.3 (CRITICAL), with the vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N. The attack is network-reachable with low complexity and requires no privileges, but does require user interaction. The scope is marked as Changed, and both confidentiality and integrity impacts are rated High.

Why It Matters

The combination of no required privileges, low attack complexity, and a Changed scope drives the 9.3 rating. Because exploitation abuses a trusted Copilot redirect to reach an untrusted destination, a victim who interacts with a malicious link can be steered in a way that enables privilege elevation across a network boundary, with high impact to confidentiality and integrity. Copilot is a cloud-hosted service, tagged "exclusively-hosted-service", so the affected surface is broad and centrally reachable.

What's Vulnerable

No specific affected CPEs are provided in the NVD record.

Patch Status

The vulnerability was published on 2026-07-02 and carries an NVD status of "Received." As an exclusively-hosted service, Microsoft 365 Copilot is remediated on the vendor side; refer to the Microsoft Security Response Center (MSRC) update guide entry for authoritative fix and mitigation details. The supplied CISA KEV data contained no entry, so there is no confirmed active exploitation or KEV-mandated required action in the source material.

Sources