Microsoft has disclosed two critical privilege-escalation vulnerabilities in its cloud services, and the severity rating is the story. CVE-2026-41106 in Microsoft 365 Copilot chains an open redirect into privilege escalation, and CVE-2026-54998 in Exchange Online is an incorrect-authorization flaw. Microsoft rated both Critical, an unusual label for privilege-escalation bugs, and a signal of how much damage a broken privilege boundary does in multi-tenant cloud.

  • Both are cloud-side flaws, meaning Microsoft patches them centrally, but the window before patching still exposed tenant data.
  • CVE-2026-41106 abuses an open redirect in M365 Copilot to escalate privileges, weaponizing the AI assistant's own trust context.
  • The Critical rating on privilege-escalation bugs is rare, and reflects the outsized blast radius when tenant isolation fails.
  • The Copilot flaw is an early example of a new class: vulnerabilities in the AI layer bolted onto enterprise software.
How an open redirect becomes privilege escalation A crafted redirect in M365 Copilot carries the victim's trust context to an attacker-controlled destination, escalating access. Victim inM365 Copilot Open redirecttrusted URL param Attacker siteinherits trust Priv esctenant data The redirect looks legitimate because it starts inside a Microsoft-trusted surface genztech.blog
Fig 1 An open redirect is benign on its own. Chained through a trusted assistant surface, it carries the victim's context to an attacker's destination, which is how a "low-severity" redirect becomes a critical privilege-escalation.

What is actually broken?

An open redirect is normally treated as a minor issue: a URL parameter that sends a user to an arbitrary destination. The danger here is the chain. Because the redirect originates inside M365 Copilot, a surface the user and their tokens trust, it can be used to hand the victim's authenticated context to an attacker-controlled endpoint, escalating what the attacker can do inside the tenant. The Exchange Online bug, CVE-2026-54998, is an incorrect-authorization flaw: the service failed to properly check whether an actor was allowed to perform an action, letting a lower-privileged identity reach beyond its boundary.

RelatedGrok Build CLI Secretly Uploads Your Entire Repo to xAI

Why rate privilege escalation as Critical?

Microsoft usually reserves Critical for remote code execution or wormable flaws; privilege escalation typically lands a notch lower. Rating these Critical is a deliberate statement about cloud architecture. In a multi-tenant service, the privilege boundary is the product, it is the wall that keeps one customer's data away from another's and one user away from admin. When that wall cracks, the impact is not one machine but potentially an entire tenant's mailbox, files, and AI-accessible data. In the cloud, a broken authorization check is closer to RCE in consequence than the label usually admits.

How worried should M365 Copilot users be?

The reassuring part is that these are server-side flaws Microsoft fixes centrally; there is no patch for customers to deploy and no long tail of unpatched endpoints. The uncomfortable part is what the Copilot flaw represents. Bolting a large language model into email, documents, and chat creates new trust surfaces, and CVE-2026-41106 is an early, concrete example of the AI layer itself becoming the vulnerability. As every enterprise suite grows a Copilot-style assistant with broad read access, that assistant becomes a high-value target precisely because it can see so much.

AttributeCVE-2026-41106CVE-2026-54998
ServiceMicrosoft 365 CopilotExchange Online
ClassOpen redirect → priv escIncorrect authorization
SeverityCriticalCritical
FixCloud-side (Microsoft)Cloud-side (Microsoft)
Customer actionReview audit logsReview audit logs

What should defenders do now?

Because there is no customer patch, the action is verification, not remediation. Review sign-in and audit logs for anomalous Copilot interactions and unexpected cross-tenant or elevated access during the exposure window. Confirm conditional-access policies are tight, and treat the incident as a prompt to inventory exactly what your Copilot deployment can read. The lesson is not "one bug got fixed"; it is that the AI assistant is now part of your attack surface and deserves the same monitoring as any privileged service account.

RelatedZimbra Patches Stored-XSS RCE in Classic Web Client

What to watch · 2026
  • More AI-layer CVEs. Expect a steady stream of vulnerabilities in Copilot-style assistants as attackers probe the new trust surface.
  • Exploitation evidence. Watch CISA KEV and Microsoft advisories for signs either flaw was used in the wild before patching.
  • Rating precedent. If Microsoft keeps rating cloud privilege-escalation Critical, it changes how the industry triages authorization bugs.

How is patching a cloud bug different?

With on-premise software, a disclosed vulnerability starts a race: the vendor ships a patch, and every customer must apply it before attackers weaponize it, which is why flaws like the SharePoint server bugs linger on unpatched systems for months. Cloud-side flaws invert that. Microsoft fixes the service centrally, so there is no patch backlog and no long tail of exposed installs. The tradeoff is opacity: customers cannot verify the fix, cannot control the timeline, and often learn the details only after the window has closed. That is why the meaningful customer action for these two CVEs is forensic, comb the audit logs for the exposure period, rather than remedial.

Our take

The most important thing about these two flaws is not that Microsoft fixed them, it is that one of them lives in the AI assistant. For years the security story of SaaS was about the platform; now the assistant grafted onto the platform is its own target, and it inherits enormous read access by design. Microsoft's decision to rate cloud privilege-escalation Critical is the right call and a useful precedent: in multi-tenant services the authorization boundary is the security model, and treating a break in it as anything less than critical understates the danger. Defenders should read this as a preview. The Copilot layer will keep generating vulnerabilities, and the organizations that come out ahead are the ones already monitoring it like the privileged system it is.

Primary sources

Original analysis by GenZTech. Figures current as of July 2026. Source: Microsoft MSRC.