Home / Vulnerability Intelligence / CVE-2026-26137

CVE-2026-26137 - Vulnerability Analysis

HighCVSS: 8.9

Last Updated: March 19, 2026

Microsoft 365 Copilot Business Chat - Privilege Escalation

Published: March 19, 2026Updated: March 19, 2026Remote Exploitable

Overview

Microsoft 365 Copilot's Business Chat contains a server side request forgery caused by improper request validation, letting authorized attackers elevate privileges over a network, exploit requires attacker authorization.

Severity & Score

Severity: High

CVSS Score: 8.9

EPSS Score: 0.0%(Probability of exploitation in next 30 days)

Impact

Authorized attackers can elevate privileges over the network, potentially gaining unauthorized access or control.

Mitigation

Update to the latest version with the SSRF fix.

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26137

Social Media Activity(2 posts)

TheHackerWire

@thehackerwire

Mar 19, 2026

🟠 CVE-2026-26137 - High (8.9) Server-side request forgery (ssrf) in Microsoft 365 Copilot's Business Chat allows an authorized attacker to elevate privileges over a network. 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-26137/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

TheHackerWire

@thehackerwire

Mar 19, 2026

View original post

Related Resources

Details

CVE ID: CVE-2026-26137
Severity: High
CVSS Score: 8.9
Type: server_side_request_forgery
Status: new
EPSS: 0.0%
Social Posts: 2

CWE

CWE-918

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

EPSS Score

0.0%Probability of exploitation in the next 30 days