CVE Catalog

CVE-2026-41106

CriticalCVSS 9.3
Published: Translated: NVD NIST

Summary

A URL redirection to untrusted site (open redirect) vulnerability in M365 Copilot allows an unauthorized attacker to elevate privileges over a network.

Risk Assessment

An attacker can exploit this for phishing or data theft by impersonating a trusted domain and intercepting user sessions.

Recommendation

Apply the security update from Microsoft for M365 Copilot and implement URL validation mechanisms in applications using redirects.

Original NVD description (English source)

Url redirection to untrusted site ('open redirect') in M365 Copilot allows an unauthorized attacker to elevate privileges over a network.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS