{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26137", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2026-02-11T16:24:51.133Z", "datePublished": "2026-03-19T21:06:26.050Z", "dateUpdated": "2026-03-24T16:49:53.728Z"}, "containers": {"cna": {"title": "Microsoft 365 Copilot BizChat Elevation of Privilege Vulnerability", "datePublic": "2026-03-19T14:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:365_copilot_business_chat:*:*:*:*:*:*:*:*", "versionStartIncluding": "-"}]}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft 365 Copilot's Business Chat", "versions": [{"version": "-", "status": "affected"}]}], "descriptions": [{"value": "Server-side request forgery (ssrf) in Microsoft 365 Copilot's Business Chat allows an authorized attacker to elevate privileges over a network.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-918: Server-Side Request Forgery (SSRF)", "lang": "en-US", "type": "CWE", "cweId": "CWE-918"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-03-24T16:49:53.728Z"}, "references": [{"name": "Microsoft 365 Copilot BizChat Elevation of Privilege Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26137"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "CRITICAL", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L/E:U/RL:O/RC:C"}}], "tags": ["exclusively-hosted-service"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-26137"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-21T04:01:45.877Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26137", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-20T15:16:02.985716Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T15:17:47.384Z"}}], "cna": {"tags": ["exclusively-hosted-service"], "title": "Microsoft 365 Copilot BizChat Elevation of Privilege Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 9.9, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L/E:U/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": "Microsoft 365 Copilot's Business Chat", "versions": [{"status": "affected", "version": "-"}]}], "datePublic": "2026-03-19T14:00:00.000Z", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26137", "name": "Microsoft 365 Copilot BizChat Elevation of Privilege Vulnerability", "tags": ["vendor-advisory", "patch"]}], "descriptions": [{"lang": "en-US", "value": "Server-side request forgery (ssrf) in Microsoft 365 Copilot's Business Chat allows an authorized attacker to elevate privileges over a network."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:365_copilot_business_chat:*:*:*:*:*:*:*:*", "vulnerable": true, "versionStartIncluding": "-"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-03-24T16:49:53.728Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26137", "state": "PUBLISHED", "dateUpdated": "2026-03-24T16:49:53.728Z", "dateReserved": "2026-02-11T16:24:51.133Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2026-03-19T21:06:26.050Z", "assignerShortName": "microsoft"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:365_copilot_chat:-:*:*:*:*:*:*:*", "matchCriteriaId": "431CBC2E-E9C8-4A85-B619-F7782685F815", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "secure@microsoft.com", "tags": ["exclusively-hosted-service"]}], "descriptions": [{"lang": "en", "value": "Server-side request forgery (ssrf) in Microsoft 365 Copilot's Business Chat allows an authorized attacker to elevate privileges over a network."}, {"lang": "es", "value": "Falsificaci\u00f3n de petici\u00f3n del lado del servidor (SSRF) en el Chat Empresarial de Microsoft 365 Copilot permite a un atacante autorizado elevar privilegios sobre una red."}], "id": "CVE-2026-26137", "lastModified": "2026-03-24T17:18:22.477", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "secure@microsoft.com", "type": "Primary"}]}, "published": "2026-03-19T21:17:08.050", "references": [{"source": "secure@microsoft.com", "tags": ["Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26137"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "secure@microsoft.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "enrichment": {"confidence": 90.0, "confidence_source": "inferred", "scores": [{"score": 90.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Microsoft 365 Copilot's Business Chat", "source": "cna", "vendor": "Microsoft"}, "product": "365_copilot_business_chat", "vendor": "microsoft"}], "analysis": {"en": {"generated_at": "2026-03-24T18:55:22.409776+00:00", "value": {"mitigation_remediation": ["Apply the latest Microsoft 365 Copilot Business Chat update that addresses CVE-2026-26137 via the Microsoft Security Response Center update guide", "If a patch is not immediately available, restrict or disable Business Chat for privileged accounts until the update is applied", "Monitor internal network traffic for anomalous requests originating from Business Chat to detect potential exploitation attempts"], "summary": {"action": "Immediate Patch", "impact": "Elevation of Privilege"}, "threat_synthesis": {"affected_systems": "Microsoft 365 Copilot Business Chat is affected. No specific version ranges are listed in the CNA data, so all deploys of Business Chat should be considered vulnerable pending vendor guidance.", "description_and_impact": "The vulnerability is a server\u2011side request forgery in Microsoft 365 Copilot\u2019s Business Chat. It permits a user who is already authorized to send crafted requests to internal endpoints, resulting in unintended privilege escalation within the network. This can allow the attacker to access resources or perform actions beyond their normal role. The flaw is classified as CWE\u2011918, reflecting the use of malformed requests to subvert access controls.", "risk_and_exploitability": "The score of 9.9 indicates a critical level of severity, while the EPSS of less than 1% suggests that, in the wild, the vulnerability is unlikely to be actively exploited at present. The vulnerability is not listed in the CISA KEV catalog. Attackers would likely need an existing authorized account with access to Business Chat and would exploit the SSRF by directing Copilot to reach internal services, thereby bypassing normal access controls. Because the attack requires network\u2011level interaction for the SSRF, it is conceivable that privileged users or compromised user accounts could leverage it if the system is not patched."}}}}, "created": "2026-03-20T08:55:54.687407+00:00", "updated": "2026-03-25T11:54:48.553831+00:00", "vendors": ["microsoft", "microsoft$PRODUCT$365_copilot_business_chat"]}