Published
- 5 min read
By Allan D - Editor, AI Security Wire
Microsoft July Patch Tuesday: Nine CVEs Across Copilot and Azure OpenAI
The headline from Microsoft’s July 2026 Patch Tuesday was 570 vulnerabilities — a record, and driven in significant part by Microsoft’s own AI-powered internal red teaming. A separate analysis covers what that count means for defender patching cadences and why the Exploitability Index is losing signal. This piece focuses on a pattern within the patch set that has received less attention: nine vulnerabilities in Microsoft’s AI product suite, including a drive-by RCE in Copilot for desktop and a CVSS 9.9 elevation of privilege in Azure OpenAI.
AI products occupy an interesting position in a vulnerability disclosure. They handle sensitive data — queries, document content, email, calendar, code — and they run with the privileges of the signed-in user in most deployments. A vulnerability that allows code execution in a Copilot client is not just a client compromise; it is positioned inside an application that often has legitimate access to organisational data the attacker wouldn’t otherwise be able to reach.
CVE-2026-48561: Copilot Desktop RCE
The most significant AI product CVE in this batch is CVE-2026-48561, a Critical Remote Code Execution vulnerability in the Microsoft Copilot desktop application. The exploitation vector is drive-by: a victim visits a malicious website while the Copilot application is running, and code executes without further user interaction.
Drive-by RCE in a desktop application through web content is a well-understood vulnerability class, but it carries particular risk in a Copilot context. The Copilot client is authenticated to the user’s Microsoft account, may have access to organisational Microsoft 365 content depending on enterprise configuration, and runs with user-level privileges that include access to local files and credentials. An attacker who achieves code execution inside the Copilot process has landed with the same access profile the Copilot client normally operates with — which is often more than a generic user-context RCE.
Microsoft has released an updated Copilot client and categorised the fix as requiring a user update action. For managed enterprise environments, this is a push-update scenario; for consumer deployments, it requires user-initiated update.
CVE-2026-45499: Azure OpenAI Elevation of Privilege
CVE-2026-45499 is an Elevation of Privilege in Azure OpenAI scored CVSS 9.9. The vulnerability is exploitable via Server-Side Request Forgery — an attacker who can send crafted requests to the Azure OpenAI endpoint can potentially pivot to internal cloud resources or escalate their effective privilege within the service.
Microsoft’s advisory notes that the vulnerability has been cloud-mitigated: the fix was applied to Azure infrastructure without requiring customer action. That means Azure OpenAI customers are protected without patching anything themselves.
Two things are nonetheless worth noting. First, CVSS 9.9 for a SSRF-to-privilege-escalation in a cloud AI API is a significant severity score — this is the kind of class of bug that in on-premises software would drive urgent patching cycles. Second, the SSRF vulnerability class in AI services is notable because AI API endpoints are often granted broad internal network access by design: they retrieve documents from SharePoint, access tool call endpoints, and communicate with orchestration infrastructure. SSRF in that context has a larger reachable attack surface than SSRF in a conventional web application.
GitHub Copilot CVEs
Three GitHub Copilot vulnerabilities appear in this release.
CVE-2026-50510 is a Remote Code Execution in GitHub Copilot. Details on the exploitation vector are limited in public advisories, but GitHub Copilot runs in developer environments with access to code repositories and local development infrastructure. RCE in a developer tool is high-value targeting: developer machines are the origin point for code commits, build pipelines, and often have credentials to staging and production environments.
CVE-2026-41109 is a security feature bypass affecting both GitHub Copilot and VS Code. The specific feature bypassed is not detailed in the public advisory, but policy enforcement bypasses in coding tools are particularly relevant in enterprise environments where Copilot usage policies, data handling restrictions, or output filtering has been configured.
CVE-2026-47282 is an information disclosure in GitHub Copilot. Information disclosure in an AI coding assistant is context-dependent in severity: what’s disclosed, to whom, and in what context determines whether this is a minor API surface issue or a more significant data exposure.
M365 Copilot
Two M365 Copilot elevation of privilege vulnerabilities appear in this release. CVE-2026-41106 scores CVSS 9.3 — a high severity EoP in Microsoft’s flagship enterprise AI product. CVE-2026-58617 affects M365 Copilot for iOS specifically and scores as a lower-severity EoP.
The M365 Copilot surface is significant because it operates directly on enterprise Microsoft 365 data — emails, documents, meetings, and Teams conversations — and does so with the authentication context of the signed-in user. An elevation of privilege that expands what an authenticated Copilot session can access, or escalates its effective permissions within the M365 graph, has direct implications for data exposure beyond what the original user access would enable.
Pattern recognition
Nine AI product CVEs in a single Patch Tuesday — covering four distinct Microsoft AI products across desktop, mobile, cloud API, and developer tool deployment contexts — is a meaningful signal about the expanding attack surface that AI integration creates.
These are not vulnerabilities in AI models. They are conventional software vulnerabilities in the infrastructure that wraps AI capabilities and exposes them to users. The model itself may be fine; the Electron wrapper, the cloud API endpoint, the VS Code extension, and the iOS client each introduce their own vulnerability surface. The attack surface is additive: every new AI touchpoint is also a new potential exploitation path.
For defenders, the practical response is the same as for any client software: ensure update distribution is functioning for Copilot clients, confirm GitHub Copilot and VS Code updates are being pushed to developer endpoints, and verify Azure OpenAI service tiers are receiving the cloud-side mitigations. None of this batch requires configuration changes — it’s a patching exercise. But the pattern warrants tracking: as AI products proliferate into enterprise toolchains, their vulnerability surface will appear in patch cycle analysis alongside the conventional enterprise software stack.
References
- BleepingComputer — Microsoft July 2026 Patch Tuesday fixes massive 570 flaws, 3 zero-days
- MSRC — CVE-2026-48561 Microsoft Copilot Remote Code Execution Vulnerability
- MSRC — CVE-2026-45499 Azure OpenAI Elevation of Privilege Vulnerability
- MSRC — CVE-2026-41106 Microsoft 365 Copilot Elevation of Privilege Vulnerability
Frequently Asked Questions
- What is CVE-2026-48561 in Microsoft Copilot?
- CVE-2026-48561 is a Critical-rated Remote Code Execution vulnerability in the Microsoft Copilot desktop application. It can be triggered by a victim visiting a malicious website while Copilot is running — a drive-by exploitation scenario requiring no additional user interaction beyond navigation. Microsoft has released an updated Copilot client to address it.
- Is CVE-2026-45499 in Azure OpenAI a risk to customers?
- CVE-2026-45499 is an Elevation of Privilege vulnerability in Azure OpenAI scored CVSS 9.9, exploitable via Server-Side Request Forgery. Microsoft describes it as cloud-mitigated: the fix was applied to Azure infrastructure and no customer action is required. However the existence of a CVSS 9.9 SSRF in a major cloud AI service is significant from an attack surface characterisation standpoint.
- How many AI product CVEs were in the July 2026 Patch Tuesday?
- Nine CVEs affecting Microsoft's AI product suite were included — covering Copilot desktop (RCE), Azure OpenAI (EoP CVSS 9.9), M365 Copilot (two EoP vulnerabilities), GitHub Copilot (RCE, policy bypass, information disclosure), and M365 Copilot for iOS (EoP). This is the largest single-release AI product vulnerability batch Microsoft has published.