CVE-2026-48561
Microsoft Copilot Remote Code Execution Vulnerability
Description
Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an unauthorized attacker to execute code over a network.
In plain language
AI Act nowMicrosoft 365 Copilot for Android and iOS have a serious command-injection weakness that could let an attacker run code if they trick a user into interacting with a malicious Copilot input; you should update promptly if you use Copilot on mobile.
CVE-2026-48561 is a command-injection (CWE-77) flaw in Microsoft 365 Copilot for Android and Microsoft 365 Copilot for iOS that allows network attackers to trigger remote code execution via malicious input when user interaction occurs (no authentication required).
What to do now
- Check whether you (or staff) use Microsoft 365 Copilot on mobile devices running the Copilot Android or iOS apps.
- Update Microsoft 365 Copilot for Android and Microsoft 365 Copilot for iOS to the latest version available in your app store, since fixes are available in the published releases.
- Until updated, treat unexpected Copilot prompts, links, or files you didn’t request as suspicious and avoid interacting with them.
CVSS Vector Breakdown
AV:NAttack VectorAC:LAttack ComplexityPR:NPrivileges RequiredUI:RUser InteractionS:CScopeC:HConfidentialityI:HIntegrityA:HAvailabilityWeaknesses
Affected Products
Exploitability
Attack Graph
Click technique nodes for MITRE ATT&CK details · drag to pan · Ctrl/⌘ + scroll to zoom, or go fullscreen.
MITRE ATT&CK
1 techniqueReferences
- Records Are Made to Be Broken: Patch Tuesday Raises Triage Stakesen·Dark Reading·
- Microsoft and Adobe Patch Tuesday, July 2026 Security Update Reviewen-us·Qualys Security Blog·
- Microsoft Patch Tuesday for July 2026 — Snort rules and prominent vulnerabilitiesen·Cisco Talos·
- Microsoft Patches a Record 570 Security Flawsen-us·Krebs on Security·
- Microsoft Patch Tuesday July 2026 - The AI Acopolypse is Hereen·SANS Internet Storm Center·
- Microsoft July 2026 Patch Tuesday fixes massive 570 flaws, 3 zero-daysen-us·BleepingComputer·
Unlock Complete Vulnerability Intelligence
Get the full picture for CVE-2026-48561 and every CVE in our database. Create a free account — no credit card required.
Create Free Account