Cyber Resilience

CVE-2026-21520

HighRCE

Published: 22 January 2026

Published
22 January 2026
Modified
02 February 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0013 31.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21520 is a high-severity Command Injection (CWE-77) vulnerability in Microsoft Copilot Studio. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Privacy and Disclosure risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-21520 is a vulnerability in Microsoft Copilot Studio that results in the exposure of sensitive information to an unauthorized actor. It allows an unauthenticated attacker to view sensitive data through a network-based attack vector. The issue has a CVSS v3.1 base score of 7.5, rated as High severity, with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, and is associated with CWE-77 (Command Injection). The vulnerability was published on 2026-01-22.

An unauthenticated attacker (PR:N) can exploit this vulnerability remotely over the network (AV:N) with low complexity (AC:L) and without requiring user interaction (UI:N). Successful exploitation enables the attacker to obtain high-impact confidentiality disclosures (C:H) of sensitive information, with no impact on integrity or availability.

Mitigation details are available in the official advisory from the Microsoft Security Response Center at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21520.

EU & UK References

Vulnerability details

Exposure of Sensitive Information to an Unauthorized Actor in Copilot Studio allows a unauthenticated attacker to view sensitive information through network attack vector

CWE(s)

AI Security AnalysisAI

AI Category
Enterprise AI Assistants
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: copilot

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Remote unauthenticated network exploitation of public-facing Copilot Studio service via command injection (CWE-77) directly enables initial access and arbitrary command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-42893Same vendor: Microsoft
CVE-2025-59272Same vendor: Microsoft
CVE-2025-59286Same vendor: Microsoft
CVE-2025-59252Same vendor: Microsoft
CVE-2026-21518Same vendor: Microsoft
CVE-2026-21516Same vendor: Microsoft
CVE-2026-21257Same vendor: Microsoft
CVE-2026-26133Same vendor: Microsoft
CVE-2026-33111Same vendor: Microsoft
CVE-2025-53787Same vendor: Microsoft

Affected Assets

microsoft
copilot studio
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents command injection (CWE-77) exploitation in Copilot Studio by validating information inputs to block malicious commands that expose sensitive information.

prevent

Remediates the specific flaw in CVE-2026-21520 through timely identification, testing, and deployment of patches to eliminate the sensitive information exposure.

prevent

Mitigates the network attack vector for unauthenticated attackers by enforcing protections on publicly accessible interfaces in Copilot Studio.

References