Microsoft has disclosed a command injection vulnerability in Outlook Copilot, but this isn't a typical Patch Tuesday update. CVE-2026-55145, published on July 14, 2026, carries a CVSS base score of 6.3 and a Moderate severity rating. The headliner: there's no downloadable fix. The entire remediation lives in Microsoft's cloud.
For administrators, that means a shift from patch deployment to tenant-level verification. For everyday users, the risk is low but the lesson is clear: as AI assistants weave deeper into email, the definition of a malicious message is expanding.
What Actually Changed
The vulnerability, classified under CWE-77 (Improper Neutralization of Special Elements Used in a Command), allows an authenticated attacker to tamper with data through a network-based attack. The CVSS vector reads CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N. That breaks down into:
- Attack Vector: Network (reachable remotely)
- Attack Complexity: Low
- Privileges Required: Low (attacker needs some authorized access)
- User Interaction: Required (the victim must take some action)
- Scope: Unchanged (exploitation stays within the same security authority)
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
Microsoft's advisory is remarkably thin. The National Vulnerability Database simply echoes the same description, still marked as awaiting enrichment. Zero Day Initiative noted the ambiguity in its July 2026 security update review, highlighting that Microsoft described the issue only in terms of malicious use and network-based tampering. No technical FAQ has been released.
The term \"command injection\" raises alarms, but it doesn't automatically mean an attacker can open a Windows shell. In an AI assistant like Copilot, a \"command\" could be an instruction to the orchestration layer, a connector, or a service operation. The published impact — tampering, not remote code execution — suggests the attack manipulates Copilot's interpretation and actions, not the underlying operating system.
Crucially, Microsoft has not linked this CVE to any Windows build, Office Click-to-Run package, or KB article. The affected product is listed generically as Microsoft Copilot, with the vulnerability title narrowing it to Outlook Copilot. That points to a service-side fix already deployed, not a binary update waiting to be installed.
What It Means for You
For everyday Outlook users: The risk is minimal in daily operation. The attack requires user interaction, meaning you'd have to click, preview, or otherwise engage with a maliciously crafted item. If you use Outlook Copilot features—such as asking it to summarize emails or search your mailbox—be wary of unexpected prompts or results, especially from unknown senders. But there’s no reason to panic: simply reading an email doesn't compromise your system.
For IT administrators and security teams: This CVE upends the traditional patch workflow. There is no software update to approve, test, or push to endpoints. Instead, your focus must shift to your Microsoft 365 tenant. The core question: Has Microsoft’s service-side remediation reached your organization? From there, the work becomes auditing who has Copilot enabled, what they can access, and whether any anomalous activity occurred around the disclosure date.
For compliance and governance leads: Copilot now acts as both a user and an interpreter of organizational data. A flaw like CVE-2026-55145 blurs the line between safe content and executable instruction. Policies around sensitive data access may need reconsideration if an AI assistant can be tricked into summarizing or altering information that a user wouldn’t normally see.
How We Got Here
Microsoft rolled out Copilot in Outlook as part of the broader AI push across Microsoft 365. The assistant can summarize threads, draft replies, find internal documents, and even perform limited actions via connectors and plugins. Each of those capabilities introduces a new attack surface.
Prompt injection—the technique of feeding an LLM instructions hidden inside normal input—has been a known risk since the earliest large language models. Security researchers have demonstrated that a hidden prompt in a web page could instruct a browser AI assistant to extract information or perform unintended actions. With Copilot, email bodies, calendar items, and even attachments become potential injection vectors.
CVE-2026-55145 is not the first such vulnerability in an AI assistant, but it may be the most prominent within a mainstream productivity suite. Microsoft has long emphasized its secure-by-design approach for Copilot, including content filtering and scope boundaries. This CVE reveals a gap in input neutralization that essentially lets an authenticated insider—or an external attacker with a compromised account—sneak harmful instructions into a colleague’s workflow.
The disclosure timing aligns with July 2026 Patch Tuesday, but the absence of a traditional patch underscores the industry’s transition toward continuously updated cloud services. Security teams accustomed to packaged updates must now rely on service health dashboards and audit logs rather than deployment rings.
What to Do Now
Based on the limited information Microsoft has provided, here’s a step-by-step response plan:
-
Confirm tenant remediation. Open the Microsoft 365 admin center and check the Service Health section for any advisories or incident reports tied to CVE-2026-55145. Look for a post-incident review confirming that the cloud-side fix has been applied to your tenant. If no such note exists, open a support request.
-
Identify exposed users. Audit which users have Outlook Copilot enabled—this may include Exchange Online license holders or specific groups. Focus on accounts with access to highly sensitive mailboxes, shared mailboxes, or connected data sources (e.g., SharePoint, Teams conversations).
-
Review Copilot interaction logs. Even without a forensic playbook from Microsoft, pull Microsoft 365 audit logs for the days surrounding July 14, 2026. Search for unusual Copilot-initiated actions, unexpected data retrievals, or modifications to messages or files. Pay special attention to operations that originate from a user’s identity but don’t match their normal behavior.
-
Educate users. Make it clear that not all Copilot outputs are inherently trustworthy, especially when they involve summarizing or acting on an external email. Encourage users to report suspicious Copilot behavior through official channels without forwarding potentially malicious content.
-
Consider temporary restrictions for high-risk accounts. If you cannot verify that remediation is complete, or if the account in question is particularly critical (executives, finance, legal), you may choose to disable Copilot for those users. Microsoft hasn’t issued official workaround guidance recommending disabling, so weigh the operational impact. Under Security & Compliance, you can manage Copilot features per user or group.
-
Watch for updates. Subscribe to the Microsoft Security Response Center blog and the CVE page itself. Historical patterns suggest Microsoft eventually adds technical FAQs for significant CVEs. In the meantime, treat third-party proof-of-concept code with caution until its legitimacy is confirmed.
Outlook
CVE-2026-55145 is unlikely to be the last Copilot vulnerability. As AI assistants gain deeper access to corporate data, the trust boundary between content and command keeps eroding. Microsoft will almost certainly tighten its input filtering and release more governance controls. For now, the most important takeaway is that your security posture must extend beyond endpoint patching into cloud service verification. If you're not already treating your Microsoft 365 tenant as a security perimeter, this moderate CVE is your wake-up call.