Microsoft has disclosed CVE-2026-55145, a command-injection vulnerability in Outlook Copilot that could let an authenticated attacker tamper with data through a network-based attack. Published by the Microsoft Security Response Center on July 14, 2026, the flaw carries a CVSS 3.1 base score of 6.3 and a Moderate severity rating.
The vulnerability is notable less for its score than for where it sits: between Outlook content, Copilot’s interpretation of that content, and actions performed using an authorized Microsoft 365 identity. Microsoft’s description is exceptionally brief, leaving administrators without a detailed attack sequence, indicators of compromise, or a precise list of affected Outlook and Copilot configurations.
The National Vulnerability Database has reproduced Microsoft’s description but remains in the awaiting enrichment stage. Its record identifies Microsoft Copilot as the affected product without naming a client version, build number, update package, or Microsoft 365 service plan.
Microsoft classifies CVE-2026-55145 under CWE-77, Improper Neutralization of Special Elements Used in a Command. In practical terms, Outlook Copilot does not adequately neutralize specially constructed input before that input reaches a command-like processing path.
The published CVSS vector is
The vulnerability is reachable over a network and has low attack complexity, but exploitation requires low privileges and user interaction. It is therefore not described as an unauthenticated, one-click compromise of every Outlook installation. An attacker must already possess some authorized access and must induce another user to participate in the attack sequence.
A successful attack can have a high confidentiality impact and a low integrity impact, according to Microsoft’s score. Availability is not affected. That combination suggests the vulnerable workflow could expose sensitive information while also allowing limited modification of data, rather than crashing Outlook, disabling Copilot, or delivering conventional arbitrary code execution.
The scope remains unchanged, meaning Microsoft’s scoring does not indicate that exploitation crosses into a separately controlled security authority. CVE-2026-55145 should consequently be treated as a Copilot data-handling and trust-boundary failure, not as evidence that an attacker can use Outlook Copilot to take over the underlying Windows device.
In an AI assistant, a command can also be an instruction passed to an orchestration layer, tool, connector, plug-in, or service operation. The public record does not establish that CVE-2026-55145 permits arbitrary shell commands, malware installation, or direct execution on a Windows endpoint.
Zero Day Initiative highlighted that ambiguity in its July 2026 security update review, observing that Microsoft described the issue only in terms of malicious use and network-based tampering. The lack of a technical FAQ makes it impossible to say whether the dangerous input resides in an email body, attachment, calendar object, conversation context, external content retrieved by Copilot, or another Outlook data source.
That distinction matters for incident response. Endpoint controls designed to catch a child process spawned by Outlook may have little visibility if exploitation occurs entirely inside Microsoft’s cloud services. Conversely, Microsoft 365 audit events, mailbox activity, Copilot interaction records, and changes made through connected services may offer more useful evidence.
Administrators should avoid turning the sparse disclosure into a more dramatic claim than Microsoft has made. There is currently no public evidence that simply previewing an email compromises Windows, nor that CVE-2026-55145 gives an attacker unrestricted command execution.
It does not mean that attacks have been observed in customer environments. CISA’s initial Stakeholder-Specific Vulnerability Categorization entry recorded no known exploitation, assessed the attack as not readily automatable, and described the technical impact as partial. Microsoft also listed the vulnerability as neither publicly disclosed nor exploited when the July 14 advisory was issued, according to Patch Tuesday tracking by SANS Internet Storm Center and Zero Day Initiative.
The distinction is important because the supplied report-confidence explanation can otherwise sound like an exploitation warning. Confirmed raises confidence that CVE-2026-55145 is real and accurately characterized; it does not independently raise the likelihood that an organization has already been attacked.
Microsoft’s temporal score is 5.7, below the 6.3 base score. That reduction reflects the availability of an official remedy, unproven exploit maturity, and confirmed reporting. No public proof-of-concept or detailed exploitation procedure was identified with the initial disclosure.
That strongly indicates a service-side component, although Microsoft’s sparse advisory stops short of documenting the deployment model. Administrators should not assume that installing the July Windows cumulative update alone addresses this issue, because no Windows build, Office build, or KB identifier is attached to CVE-2026-55145.
For organizations using Outlook Copilot, the immediate response should center on confirming Microsoft 365 service remediation and reviewing exposure rather than searching indefinitely for a missing MSI or Windows Update package. Security teams should also preserve relevant Microsoft 365 audit data while the disclosure is fresh.
A focused response should include the following actions:
CVE-2026-55145 illustrates the resulting security problem: content that is safe enough to render may not be safe to interpret as an instruction. Authentication does not solve that problem by itself. The CVSS requirement for low privileges indicates that an attacker needs authorized access, but an ordinary compromised account or malicious insider can still supply untrusted content.
The required user interaction lowers the likelihood of mass automated exploitation, but it does not eliminate risk in targeted attacks. An attacker could tailor content to a finance employee, administrator, executive, or support operator whose Copilot context includes valuable communications. The high confidentiality rating makes those identities more important than the average endpoint count.
Microsoft’s initial advisory leaves significant operational questions unanswered, including the exact user action required, which Outlook experiences are affected, and what data can be altered. Until those details arrive, CVE-2026-55145 belongs in the Microsoft 365 incident queue rather than being dismissed as a Moderate cloud issue—or misrepresented as a confirmed Windows remote-code-execution flaw.
The vulnerability is notable less for its score than for where it sits: between Outlook content, Copilot’s interpretation of that content, and actions performed using an authorized Microsoft 365 identity. Microsoft’s description is exceptionally brief, leaving administrators without a detailed attack sequence, indicators of compromise, or a precise list of affected Outlook and Copilot configurations.
The National Vulnerability Database has reproduced Microsoft’s description but remains in the awaiting enrichment stage. Its record identifies Microsoft Copilot as the affected product without naming a client version, build number, update package, or Microsoft 365 service plan.
The CVSS Vector Points to a User-Assisted Attack
Microsoft classifies CVE-2026-55145 under CWE-77, Improper Neutralization of Special Elements Used in a Command. In practical terms, Outlook Copilot does not adequately neutralize specially constructed input before that input reaches a command-like processing path.The published CVSS vector is
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N. That gives defenders several useful boundaries even though Microsoft has not published a full technical explanation.The vulnerability is reachable over a network and has low attack complexity, but exploitation requires low privileges and user interaction. It is therefore not described as an unauthenticated, one-click compromise of every Outlook installation. An attacker must already possess some authorized access and must induce another user to participate in the attack sequence.
A successful attack can have a high confidentiality impact and a low integrity impact, according to Microsoft’s score. Availability is not affected. That combination suggests the vulnerable workflow could expose sensitive information while also allowing limited modification of data, rather than crashing Outlook, disabling Copilot, or delivering conventional arbitrary code execution.
The scope remains unchanged, meaning Microsoft’s scoring does not indicate that exploitation crosses into a separately controlled security authority. CVE-2026-55145 should consequently be treated as a Copilot data-handling and trust-boundary failure, not as evidence that an attacker can use Outlook Copilot to take over the underlying Windows device.
“Command Injection” Does Not Automatically Mean a Windows Shell
The CWE-77 classification deserves careful interpretation. The word command often evokes PowerShell, Command Prompt, or operating-system code execution, but Microsoft has classified the impact as tampering rather than remote code execution.In an AI assistant, a command can also be an instruction passed to an orchestration layer, tool, connector, plug-in, or service operation. The public record does not establish that CVE-2026-55145 permits arbitrary shell commands, malware installation, or direct execution on a Windows endpoint.
Zero Day Initiative highlighted that ambiguity in its July 2026 security update review, observing that Microsoft described the issue only in terms of malicious use and network-based tampering. The lack of a technical FAQ makes it impossible to say whether the dangerous input resides in an email body, attachment, calendar object, conversation context, external content retrieved by Copilot, or another Outlook data source.
That distinction matters for incident response. Endpoint controls designed to catch a child process spawned by Outlook may have little visibility if exploitation occurs entirely inside Microsoft’s cloud services. Conversely, Microsoft 365 audit events, mailbox activity, Copilot interaction records, and changes made through connected services may offer more useful evidence.
Administrators should avoid turning the sparse disclosure into a more dramatic claim than Microsoft has made. There is currently no public evidence that simply previewing an email compromises Windows, nor that CVE-2026-55145 gives an attacker unrestricted command execution.
Confirmed Does Not Mean Exploited
The report-confidence component of Microsoft’s temporal score is marked Confirmed. In CVSS terminology, that means the vulnerability and its technical basis have been validated through detailed reporting, reproducible behavior, source inspection, or acknowledgement by the vendor.It does not mean that attacks have been observed in customer environments. CISA’s initial Stakeholder-Specific Vulnerability Categorization entry recorded no known exploitation, assessed the attack as not readily automatable, and described the technical impact as partial. Microsoft also listed the vulnerability as neither publicly disclosed nor exploited when the July 14 advisory was issued, according to Patch Tuesday tracking by SANS Internet Storm Center and Zero Day Initiative.
The distinction is important because the supplied report-confidence explanation can otherwise sound like an exploitation warning. Confirmed raises confidence that CVE-2026-55145 is real and accurately characterized; it does not independently raise the likelihood that an organization has already been attacked.
Microsoft’s temporal score is 5.7, below the 6.3 base score. That reduction reflects the availability of an official remedy, unproven exploit maturity, and confirmed reporting. No public proof-of-concept or detailed exploitation procedure was identified with the initial disclosure.
Cloud Remediation Changes the Patch Workflow
Unlike a conventional Outlook vulnerability tied to a Click-to-Run build or Windows KB package, the public CVE record does not identify a downloadable security update. Microsoft lists the affected product generically as Microsoft Copilot, while the vulnerability title narrows the exposed feature to Outlook Copilot.That strongly indicates a service-side component, although Microsoft’s sparse advisory stops short of documenting the deployment model. Administrators should not assume that installing the July Windows cumulative update alone addresses this issue, because no Windows build, Office build, or KB identifier is attached to CVE-2026-55145.
For organizations using Outlook Copilot, the immediate response should center on confirming Microsoft 365 service remediation and reviewing exposure rather than searching indefinitely for a missing MSI or Windows Update package. Security teams should also preserve relevant Microsoft 365 audit data while the disclosure is fresh.
A focused response should include the following actions:
- Confirm through the Microsoft 365 admin center and service communications that remediation has reached the organization’s tenant.
- Identify which users have Outlook Copilot enabled and which accounts can access particularly sensitive mailboxes, shared mailboxes, or connected business data.
- Review unusual mailbox access, Copilot-assisted operations, data retrieval, and modifications occurring around July 14, 2026.
- Treat unexpected Copilot instructions or actions derived from untrusted messages as potentially hostile, even when the sender is authenticated.
- Ensure reporting paths allow users to escalate suspicious Copilot output without forwarding sensitive content outside approved channels.
Copilot Expands the Meaning of Email Content
Traditional email security treats a message as data to display, scan, quarantine, or hand to a user. Copilot changes that model because message content can become context for an assistant capable of summarizing information, retrieving related material, and potentially initiating supported actions.CVE-2026-55145 illustrates the resulting security problem: content that is safe enough to render may not be safe to interpret as an instruction. Authentication does not solve that problem by itself. The CVSS requirement for low privileges indicates that an attacker needs authorized access, but an ordinary compromised account or malicious insider can still supply untrusted content.
The required user interaction lowers the likelihood of mass automated exploitation, but it does not eliminate risk in targeted attacks. An attacker could tailor content to a finance employee, administrator, executive, or support operator whose Copilot context includes valuable communications. The high confidentiality rating makes those identities more important than the average endpoint count.
Microsoft’s initial advisory leaves significant operational questions unanswered, including the exact user action required, which Outlook experiences are affected, and what data can be altered. Until those details arrive, CVE-2026-55145 belongs in the Microsoft 365 incident queue rather than being dismissed as a Moderate cloud issue—or misrepresented as a confirmed Windows remote-code-execution flaw.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com