CVE-2026-41614

Published May 12, 2026

Last updated 22 days ago

CVSS medium 6.2

Overview

Description
Improper access control in M365 Copilot for Desktop allows an unauthorized attacker to perform spoofing locally.
Source
secure@microsoft.com
NVD status
Analyzed
Products
365_copilot

Risk scores

CVSS 3.1

Type
Secondary
Base score
6.2
Impact score
3.6
Exploitability score
2.5
Vector string
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Severity
MEDIUM

Weaknesses

secure@microsoft.com
CWE-284

Social media

Hype score
Not currently trending

Configurations

Related CVEs

  1. Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network.CVE-2026-42827
  2. Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an unauthorized attacker to perform tampering over a network.CVE-2026-41090
  3. Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.CVE-2026-42831
  4. Improper access control in M365 Copilot allows an authorized attacker to perform spoofing locally.CVE-2026-41100
  5. Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.CVE-2026-40363

References

Sources include official advisories and independent security research.