A critical open-redirect flaw in Microsoft 365 Copilot allows an unauthenticated, network-based attacker to elevate privileges when a user is tricked into interacting with a crafted link.
What Is It
CVE-2026-41106 is an open-redirect vulnerability (CWE-601) in Microsoft 365 Copilot. According to Microsoft's NVD record, the flaw stems from URL redirection to an untrusted site, which "allows an unauthorized attacker to elevate privileges over a network." Microsoft assigns it a CVSS 3.1 base score of 9.3 (CRITICAL), with the vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N. The attack is network-reachable with low complexity and requires no privileges, but does require user interaction. The scope is marked as Changed, and both confidentiality and integrity impacts are rated High.
Why It Matters
The combination of no required privileges, low attack complexity, and a Changed scope drives the 9.3 rating. Because exploitation abuses a trusted Copilot redirect to reach an untrusted destination, a victim who interacts with a malicious link can be steered in a way that enables privilege elevation across a network boundary, with high impact to confidentiality and integrity. Copilot is a cloud-hosted service, tagged "exclusively-hosted-service", so the affected surface is broad and centrally reachable.
What's Vulnerable
- Vendor: Microsoft
- Product: Microsoft 365 Copilot
- Affected version: listed as "-" (all/affected; no discrete version enumerated)
No specific affected CPEs are provided in the NVD record.
Patch Status
The vulnerability was published on 2026-07-02 and carries an NVD status of "Received." As an exclusively-hosted service, Microsoft 365 Copilot is remediated on the vendor side; refer to the Microsoft Security Response Center (MSRC) update guide entry for authoritative fix and mitigation details. The supplied CISA KEV data contained no entry, so there is no confirmed active exploitation or KEV-mandated required action in the source material.
Sources
- NVD, CVE-2026-41106: https://nvd.nist.gov/vuln/detail/CVE-2026-41106
- Microsoft MSRC Update Guide; CVE-2026-41106: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41106