Microsoft Patch Tuesday: Solving the Excel Copilot Data Leak (CVE-2026-26144)

This month's Microsoft Patch Tuesday focuses on a particularly concerning vulnerability in Microsoft 365 Copilot. Designated as CVE-2026-26144, this flaw allowed for the silent exfiltration of sensitive data from Excel workbooks via a highly sophisticated indirect prompt injection attack.

The Mechanism: Shared Link Exfiltration

The vulnerability exists in the way Excel Copilot handles hidden metadata and cell comments. An attacker could send a shared Excel link containing a hidden "instructional comment" designed to override Copilot's system prompt. When a victim opens the file and asks Copilot a seemingly unrelated question, the hidden instructions trigger.

These instructions command Copilot to encode the contents of private cells into a base64 string and append it to an external image URL. Because Copilot is allowed to render images in its chat interface, the "request" for the image acts as a covert channel, sending the private data to the attacker's server without the user's knowledge.

Technical Impact: Cross-Tenant Risks

The severity of CVE-2026-26144 is amplified in multi-tenant environments. In some cases, researchers found that the exploit could be used to leak data across entitled boundaries—for example, a contractor with access to one sheet could potentially "ask" Copilot to retrieve data from a linked sheet they weren't supposed to see, provided both were part of the same organization's Graph index.

Vulnerability Details:

• CVE ID: CVE-2026-26144
• CVSS Score: 8.8 (High)
• Attack Vector: Network (Indirect Prompt Injection)
• Privileges Required: None (victim must open a shared file)

The Fix: Contextual Boundary Hardening

Microsoft's patch introduces Contextual Boundary Hardening. Copilot now uses a separate, low-privileged LLM "sandbox" to pre-scan all non-cell data (comments, metadata, property fields) for instructional patterns. If an injection attempt is detected, the agentic capabilities of the session are restricted, and the user is warned.

Additionally, Microsoft has tightened the Image Rendering Policy in the Copilot chat. URLs are now proxied through a Microsoft-owned sanitization service that strips query parameters containing potential exfiltrated data before the request reaches the external server.

Conclusion: The New Era of AI Pentesting

CVE-2026-26144 is a landmark case in AI-specific vulnerabilities. It demonstrates that the traditional security perimeters of SaaS applications are no longer sufficient when an autonomous agent is operating within the data layer. As organizations continue to adopt Copilot for Microsoft 365, the focus must shift from securing the "container" to securing the inference path.