CVE-2026-41100: Microsoft 365 Copilot for Android Spoofing Vulnerability

Overview

Severity

Medium (CVSS 4.4)

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C

Category

Spoofing

Exploit Status

Not Exploited

Exploitation Likelihood

Unlikely

Patch Tuesday

2026-May

Released

2026-05-12

Description

Improper access control in M365 Copilot allows an authorized attacker to perform spoofing locally.

FAQ

According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L), and integrity (I:L) but lead to no loss of availability (A:N). What is the impact of this vulnerability? An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality), make changes to disclosed information (Integrity), but cannot limit access to the resource (Availability).

Affected Products (1)

Apps

• Microsoft 365 Copilot for Android

Security Updates (1)

• Release Notes

Acknowledgments

<a href="https://twitter.com/yanir_">Yanir Tsarimi</a>

Revision History

• 2026-05-12: Information published.