CVE-2026-21520
Published: 22 January 2026
Summary
CVE-2026-21520 is a high-severity Command Injection (CWE-77) vulnerability in Microsoft Copilot Studio. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Privacy and Disclosure risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-21520 is a vulnerability in Microsoft Copilot Studio that results in the exposure of sensitive information to an unauthorized actor. It allows an unauthenticated attacker to view sensitive data through a network-based attack vector. The issue has a CVSS v3.1 base score of 7.5, rated as High severity, with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, and is associated with CWE-77 (Command Injection). The vulnerability was published on 2026-01-22.
An unauthenticated attacker (PR:N) can exploit this vulnerability remotely over the network (AV:N) with low complexity (AC:L) and without requiring user interaction (UI:N). Successful exploitation enables the attacker to obtain high-impact confidentiality disclosures (C:H) of sensitive information, with no impact on integrity or availability.
Mitigation details are available in the official advisory from the Microsoft Security Response Center at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21520.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4504
Vulnerability details
Exposure of Sensitive Information to an Unauthorized Actor in Copilot Studio allows a unauthenticated attacker to view sensitive information through network attack vector
- CWE(s)
AI Security AnalysisAI
- AI Category
- Enterprise AI Assistants
- Risk Domain
- Privacy and Disclosure
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: copilot
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated network exploitation of public-facing Copilot Studio service via command injection (CWE-77) directly enables initial access and arbitrary command execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents command injection (CWE-77) exploitation in Copilot Studio by validating information inputs to block malicious commands that expose sensitive information.
Remediates the specific flaw in CVE-2026-21520 through timely identification, testing, and deployment of patches to eliminate the sensitive information exposure.
Mitigates the network attack vector for unauthenticated attackers by enforcing protections on publicly accessible interfaces in Copilot Studio.