Duty Analyst: Joseph McCarthy
← Back to CVE list

CVE-2026-42824

Published: 2026-06-04 23:17:32 | Last modified: 2026-06-19 21:16:43

MEDIUM CVSS 6.5
No EPSS data

Description

Missing authentication for critical function in M365 Copilot allows an unauthorized attacker to disclose information over a network.

CVSS details

Severity
medium
Score
6.5
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

EPSS

This CVE is not currently listed in the EPSS dataset.

Show JSON 
{
    "cve": {
        "id": "CVE-2026-42824",
        "cveTags": [
            {
                "tags": [
                    "exclusively-hosted-service"
                ],
                "sourceIdentifier": "secure@microsoft.com"
            }
        ],
        "metrics": {
            "ssvcV203": [
                {
                    "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
                    "ssvcData": {
                        "id": "CVE-2026-42824",
                        "role": "CISA Coordinator",
                        "options": [
                            {
                                "exploitation": "none"
                            },
                            {
                                "automatable": "no"
                            },
                            {
                                "technicalImpact": "partial"
                            }
                        ],
                        "version": "2.0.3",
                        "timestamp": "2026-06-06T17:26:03.554586Z"
                    }
                }
            ],
            "cvssMetricV31": [
                {
                    "type": "Secondary",
                    "source": "secure@microsoft.com",
                    "cvssData": {
                        "scope": "UNCHANGED",
                        "version": "3.1",
                        "baseScore": 6.5,
                        "attackVector": "NETWORK",
                        "baseSeverity": "MEDIUM",
                        "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
                        "integrityImpact": "NONE",
                        "userInteraction": "REQUIRED",
                        "attackComplexity": "LOW",
                        "availabilityImpact": "NONE",
                        "privilegesRequired": "NONE",
                        "confidentialityImpact": "HIGH"
                    },
                    "impactScore": 3.6,
                    "exploitabilityScore": 2.8
                },
                {
                    "type": "Primary",
                    "source": "nvd@nist.gov",
                    "cvssData": {
                        "scope": "UNCHANGED",
                        "version": "3.1",
                        "baseScore": 7.5,
                        "attackVector": "NETWORK",
                        "baseSeverity": "HIGH",
                        "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                        "integrityImpact": "NONE",
                        "userInteraction": "NONE",
                        "attackComplexity": "LOW",
                        "availabilityImpact": "NONE",
                        "privilegesRequired": "NONE",
                        "confidentialityImpact": "HIGH"
                    },
                    "impactScore": 3.6,
                    "exploitabilityScore": 3.9
                }
            ]
        },
        "affected": [
            {
                "source": "secure@microsoft.com",
                "affectedData": [
                    {
                        "vendor": "Microsoft",
                        "product": "Microsoft 365 Copilot",
                        "versions": [
                            {
                                "status": "affected",
                                "version": "-"
                            }
                        ]
                    }
                ]
            }
        ],
        "published": "2026-06-04T23:17:32.077",
        "references": [
            {
                "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42824",
                "tags": [
                    "Vendor Advisory"
                ],
                "source": "secure@microsoft.com"
            }
        ],
        "vulnStatus": "Modified",
        "weaknesses": [
            {
                "type": "Secondary",
                "source": "secure@microsoft.com",
                "description": [
                    {
                        "lang": "en",
                        "value": "CWE-77"
                    }
                ]
            }
        ],
        "descriptions": [
            {
                "lang": "en",
                "value": "Missing authentication for critical function in M365 Copilot allows an unauthorized attacker to disclose information over a network."
            }
        ],
        "lastModified": "2026-06-19T21:16:42.893",
        "configurations": [
            {
                "nodes": [
                    {
                        "negate": false,
                        "cpeMatch": [
                            {
                                "criteria": "cpe:2.3:a:microsoft:copilot:-:*:*:*:*:*:*:*",
                                "vulnerable": true,
                                "matchCriteriaId": "4460C154-CAA1-49B9-8016-EFE5602C6E1C"
                            }
                        ],
                        "operator": "OR"
                    }
                ]
            }
        ],
        "sourceIdentifier": "secure@microsoft.com"
    }
}