AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2026-41614: Improper access control in M365 Copilot for Desktop allows an unauthorized attacker to perform spoofing locally.

mediumvulnerabilityLLM-Specific

security

Source: NVD/CVE DatabaseMay 12, 2026CVE-2026-41614

Summary

CVE-2026-41614 is a vulnerability in Microsoft 365 Copilot for Desktop caused by improper access control (a weakness where the software fails to properly restrict who can do what), allowing an unauthorized attacker to perform spoofing (making something appear to come from someone else) on a local computer. The vulnerability has a CVSS 4.0 severity rating, though a full assessment from NIST has not yet been provided.

Vulnerability Details

CVSS Score

6.2(medium)

EPSS (30-day exploit probability)

EPSS: 0.0%

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

local

Attack Complexity

low

Privileges Required

none

User Interaction

none

Disclosure Date

May 12, 2026

Classification

Attack Type

Other

Attack SophisticationTrivial

Impact (CIA+S)

integrity

AI Component TargetedAPI

Taxonomy References

CWE (Weakness Type)

CWE-284

Affected Vendors

Microsoft

Related Issues

high

CVE-2022-21727: Tensorflow is an Open Source Machine Learning Framework. The implementation of shape inference for `Dequantize` is vulne

Similar attackNVD/CVE Database

high

GHSA-w3hv-x4fp-6h6j: @grackle-ai/server has Missing WebSocket Origin Header Validation

Similar attack

Monthly digest — independent AI security research

Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-41614

First tracked: May 12, 2026 at 08:09 PM

Classified by LLM (prompt v3) · confidence: 85%