BREAKING
SearchLeak: One-Click Copilot Flaw
CVE-2026-42824 at a Glance
Target
Copilot
●
Enterprise Search
●
Microsoft Graph permissions
Data at Risk
Critical
●
Email, files, calendar
●
Even MFA and OTP codes
How the Attack Chain Worked
1
Click trusted URL
↓
2
P2P prompt injection
↓
3
img race condition
↓
4
SSRF bypass CSP
Legit Domain Beats URL Filters
Echoes of EchoLeak and Reprompt
Patched, No Known Exploitation
AI NEWS BLITZ
A one-click flaw in Microsoft 365 Copilot could leak your data, and it's now patched.