AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2026-24307: Improper validation of specified type of input in M365 Copilot allows an unauthorized attacker to disclose information o

criticalvulnerabilityLLM-Specific

security

Source: NVD/CVE DatabaseJanuary 22, 2026CVE-2026-24307

Summary

CVE-2026-24307 is a vulnerability in Microsoft 365 Copilot where improper validation of input (failure to check that data matches what the system expects) allows an attacker to access and disclose information over a network without authorization. The vulnerability has a CVSS score of 4.0 (a moderate severity rating on a 0-10 scale).

Vulnerability Details

CVSS Score

9.3(critical)

EPSS (30-day exploit probability)

EPSS: 0.1%

Classification

Attack Type

Data Extraction

Attack SophisticationModerate

Impact (CIA+S)

confidentiality

AI Component TargetedAPI

Taxonomy References

CWE (Weakness Type)

CWE-1287

Affected Vendors

Microsoft

Related Issues

critical

CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive

Similar attackNVD/CVE Database

high

CVE-2025-54868: LibreChat is a ChatGPT clone with additional features. In versions 0.0.6 through 0.7.7-rc1, an exposed testing endpoint

First tracked: February 15, 2026 at 08:51 PM

Classified by LLM (prompt v3) · confidence: 85%