CVE-2026-55145: Outlook Copilot Tampering Vulnerability

Overview

Severity
Medium (CVSS 6.3)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N/E:P/RL:O/RC:C
Category
Tampering
Exploit Status
Not Exploited
Patch Tuesday
2026-Jul
Released
2026-07-14
EPSS Score
0.37% (percentile: 29.2%)

Description

Improper neutralization of special elements used in a command ('command injection') in Outlook Copilot allows an authorized attacker to perform tampering over a network.

FAQ

How do I protect myself from this vulnerability? Customers can help protect themselves by enabling Outlook's external sender tagging feature to identify untrusted content. This enables Microsoft's provided mitigations to isolate and safely process the untrusted content before it is provided to Microsoft 365 Copilot. Administrators can enable external sender tagging through Exchange Online PowerShell. Refer to the Microsoft Learn documentation for setup instructions and requirements. Install the Exchange Online PowerShell Module Connect to Exchange Online PowerShell Set-ExternalInOutlook

Affected Products (1)

Other

  • Microsoft Copilot

Acknowledgments

<a href="https://enklypesalt.com/">H&#229;kon M&#229;l&#248;y</a>

Revision History

  • 2026-07-14: Information published.