CVE: CVE-2026-54998, CVE-2026-41106 | CVSS: Critical (Microsoft severity rating) | Vendor: Microsoft | Product: Exchange Online, Microsoft 365 Copilot
What Is the Vulnerability
Two critical privilege escalation vulnerabilities have been disclosed in core Microsoft cloud services, both patched server-side with no customer action required.
CVE-2026-54998 (Exchange Online): An incorrect authorization flaw that allows an unauthenticated attacker to perform privilege escalation over the network. The vulnerability stems from improper access control checks in Exchange Online’s authorization pipeline, enabling an attacker to elevate from no access to privileged operations without authentication. This is rated Critical — an unusually high severity for a privilege escalation vulnerability, reflecting the ease of exploitation and the sensitivity of Exchange Online data.
CVE-2026-41106 (Microsoft 365 Copilot): An open redirect vulnerability in Microsoft 365 Copilot that chains to privilege escalation. An attacker can leverage the open redirect to phish credentials or manipulate OAuth token flows, ultimately gaining elevated privileges within the Copilot service context. Given Copilot’s deep integration with organizational data (email, documents, Teams conversations, SharePoint), a compromise could expose extensive sensitive information.
Versions Affected
Both vulnerabilities affect the cloud-side services (Exchange Online and Microsoft 365 Copilot). No on-premises Exchange Server versions are affected, and no client software requires patching. Microsoft patched both vulnerabilities server-side in its cloud infrastructure.
Exploited?
No confirmed exploitation in the wild. Both vulnerabilities were responsibly disclosed — one by an external security researcher and one discovered internally by Microsoft’s security teams.
Fix
Microsoft has applied server-side patches for both vulnerabilities. No customer action is required. The fixes were deployed transparently to Microsoft’s cloud infrastructure.
Recommendations
- No action required: Both vulnerabilities have been remediated at the cloud service layer.
- Monitor Microsoft 365 audit logs: Review for any anomalous privileged operations preceding the patch window as a precautionary measure.
- Broader implications: These CVEs highlight the growing attack surface in AI-integrated cloud services. Organisations should evaluate the blast radius of Copilot’s data access and consider implementing least-privilege access models for AI tooling.
References
- Security.nl — Posting 943239
- Microsoft Security Response Center — Advisory
Part of the Vulnerability Intelligence series. See the July 4, 2026 VIR.
