criticalCVE-2026-41106

CVE-2026-41106 Microsoft 365 Copilot Vulnerability

Url redirection to untrusted site ('open redirect') in M365 Copilot allows an unauthorized attacker to elevate privileges over a network.

ProductMicrosoft 365 Copilot
CVSS9.3
EPSS0.00531
UpdatedJuly 14, 2026

Quick answer

Microsoft 365 Copilot should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • Microsoft 365 Copilot hosted service

Fixed versions

  • No customer-managed package version is listed; follow Microsoft MSRC guidance for CVE-2026-41106

How to fix it

CVE-2026-41106 affects Microsoft 365 Copilot, which is a Microsoft hosted service. No customer-installed package version is listed for this record. Review the MSRC advisory, check tenant exposure, and confirm Microsoft guidance for your environment. Treat it as important if the service is enabled or tied to sensitive data.

  1. Inventory where Microsoft 365 Copilot is enabled in your tenant.
  2. Open the MSRC advisory for CVE-2026-41106 and record the current guidance.
  3. Review users, roles, apps, connectors, and service permissions tied to this product.
  4. Limit access to trusted users and groups where possible.
  5. Review audit logs for unusual privilege changes, redirects, or cross-service access.
  6. Rotate secrets or app credentials if suspicious access is found.
  7. Document tenant checks, owners, and any Microsoft guidance you followed.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm the MSRC advisory for CVE-2026-41106 has been reviewed.
  • Confirm Microsoft 365 Copilot access is limited to expected users and apps.
  • Confirm audit logs do not show suspicious activity tied to this issue.
  • Confirm any risky roles, connectors, or permissions were reduced.
  • Save tenant evidence and the review date.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-41106?

Microsoft 365 Copilot versions listed as affected should be reviewed: Microsoft 365 Copilot hosted service.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

How are Fixnx security risk categories chosen?

Fixnx keeps one canonical risk page and assigns only broad, relevant categories such as ecosystem, technology area, or vulnerability class.