CVE-2026-58617: M365 Copilot for iOS Elevation of Privilege Vulnerability

Overview

Severity
High (CVSS 8.1)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
Category
Elevation of Privilege
Exploit Status
Not Exploited
Exploitation Likelihood
Less Likely
Patch Tuesday
2026-Jul
Released
2026-07-14

Description

Improper access control in Microsoft 365 Copilot for iOS allows an unauthorized attacker to elevate privileges over a network.

FAQ

According to the CVSS metric, the attack vector is network (AV:N) and the attack complexity is low (AC:L). What does that mean for this vulnerability? The attack vector is Network (AV:N) because this vulnerability is remotely exploitable and can be exploited from the internet. The attack complexity is Low (AC:L) because an attacker does not require significant prior knowledge of the system and can achieve repeatable success with the payload against the vulnerable component.

Affected Products (1)

Apps

  • Microsoft 365 Copilot for iOS

Security Updates (1)

Acknowledgments

Ofek Levin with <a href="https://enclave.ai/">Enclave</a>

Revision History

  • 2026-07-14: Information published.