AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2026-41100: Improper access control in M365 Copilot allows an authorized attacker to perform spoofing locally.

mediumvulnerabilityLLM-Specific

security

Source: NVD/CVE DatabaseMay 12, 2026CVE-2026-41100

Summary

CVE-2026-41100 is a vulnerability in Microsoft 365 Copilot where improper access control (weak rules that don't properly check who should be allowed to do something) allows an authorized attacker to perform spoofing (impersonating someone or something else) on a local system. The vulnerability has a CVSS 4.0 severity rating (a moderate security concern on a 0-10 scale).

Vulnerability Details

CVSS Score

4.4(medium)

EPSS (30-day exploit probability)

EPSS: 0.0%

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Attack Vector

local

Attack Complexity

low

Privileges Required

low

User Interaction

none

Disclosure Date

May 12, 2026

Classification

Attack SophisticationModerate

Impact (CIA+S)

integrity

AI Component TargetedAPI

Taxonomy References

CWE (Weakness Type)

CWE-284

Affected Vendors

Microsoft

Related Issues

info

Tech Giants Invest $12.5 Million in Open Source Security

Same vendorSecurityWeek

info

Vance, Bessent questioned tech giants on AI security before Anthropic's Mythos release

Same vendorCNBC Technology

Monthly digest — independent AI security research

Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-41100

First tracked: May 12, 2026 at 08:09 PM

Classified by LLM (prompt v3) · confidence: 85%