CVE-2026-21520: Exposure of Sensitive Information to an Unauthorized Actor in Copilot Studio allows a unauthenticated attacker to view s
highvulnerability
security
Summary
CVE-2026-21520 is a vulnerability in Microsoft Copilot Studio that allows an unauthenticated attacker to view sensitive information through a network-based attack. The vulnerability stems from improper handling of special characters in commands (command injection, where attackers manipulate input to execute unintended commands), and affects Copilot Studio's hosted service.
Vulnerability Details
CVSS Score
7.5(high)
EPSS (30-day exploit probability)
EPSS: 0.1%
Classification
Attack Type
Other
Attack SophisticationTrivial
Impact (CIA+S)
confidentiality
AI Component TargetedAPI
Affected Vendors
Microsoft
Related Issues
Monthly digest — independent AI security research
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-21520
First tracked: February 15, 2026 at 08:51 PM
Classified by LLM (prompt v3) · confidence: 85%