AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2026-33102: Url redirection to untrusted site ('open redirect') in M365 Copilot allows an unauthorized attacker to elevate privilege

criticalvulnerabilityLLM-Specific

security

Source: NVD/CVE DatabaseApril 23, 2026CVE-2026-33102

Summary

CVE-2026-33102 is an open redirect vulnerability (a flaw where a website redirects users to an untrusted site) in Microsoft 365 Copilot that allows an attacker to elevate their privileges over a network without authorization. The vulnerability has a CVSS severity rating of 4.0 (a moderate severity score on a 0-10 scale).

Vulnerability Details

CVSS Score

9.3(critical)

EPSS (30-day exploit probability)

EPSS: 0.0%

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Attack Vector

network

Attack Complexity

low

Privileges Required

none

User Interaction

required

Disclosure Date

April 23, 2026

Classification

Attack Type

Other

Attack SophisticationModerate

Impact (CIA+S)

integrity

AI Component TargetedAPI

Taxonomy References

CWE (Weakness Type)

CWE-601

Affected Vendors

Microsoft

Related Issues

high

CVE-2022-21727: Tensorflow is an Open Source Machine Learning Framework. The implementation of shape inference for `Dequantize` is vulne

Similar attackNVD/CVE Database

high

GHSA-w3hv-x4fp-6h6j: @grackle-ai/server has Missing WebSocket Origin Header Validation

Similar attack

Monthly digest — independent AI security research

Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-33102

First tracked: April 24, 2026 at 08:10 AM

Classified by LLM (prompt v3) · confidence: 85%