CVE-2026-47644: Microsoft Edge Copilot Chat Information Disclosure via Injection
A flaw in Microsoft Edge's Copilot Chat feature allows attackers to inject specially crafted code into the application, potentially exposing sensitive information. The vulnerability requires user interaction (such as clicking a malicious link) but does not require authentication. Once triggered, it could disclose data over the network without the user's knowledge.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-74
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Improper neutralization of special elements in output used by a downstream component ('injection') in Copilot Chat (Microsoft Edge) allows an unauthorized attacker to disclose information over a network.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-47644 is an improper neutralization vulnerability (CWE-74 injection) in Copilot Chat within Microsoft Edge. The flaw stems from insufficient sanitization of special elements before they are passed to downstream components. An attacker can craft malicious input that, when processed by the application, executes in a context where it can read and exfiltrate sensitive information. The CVSS 3.1 score of 6.5 (MEDIUM) reflects network-based attack feasibility with user interaction required, high confidentiality impact, and no integrity or availability compromise.
Business impact
Organizations with Microsoft Edge deployments where Copilot Chat is actively used face moderate risk of sensitive data disclosure. If users interact with attacker-controlled content (phishing links, malicious documents, or compromised web pages), information accessed through Copilot Chat conversations or the broader application context could be leaked. This is particularly concerning for enterprises handling confidential documents or relying on AI assistants for analysis of proprietary data. Incident response and forensics complexity increases when user awareness of the vector is low.
Affected systems
Microsoft Copilot Chat in Microsoft Edge is the confirmed affected component. All versions prior to the patched release are vulnerable. Verify specific version numbers against Microsoft's security advisory. The vulnerability affects Windows and potentially other platforms on which Microsoft Edge runs, provided Copilot Chat is enabled or present.
Exploitability
Exploitation requires network access and user interaction, making it suitable for targeted phishing or supply-chain vector scenarios rather than mass exploitation. No authentication is needed, and the attack surface is broadly exposed to any Edge user. Practical exploitation requires crafting injection payloads tailored to Copilot Chat's input validation weaknesses. As of the stated ground-truth, this is not tracked in CISA's Known Exploited Vulnerabilities catalog, but the public disclosure and moderate severity suggest active research interest.
Remediation
Apply the latest security patch released by Microsoft for Edge as soon as it becomes available. Consult Microsoft's official security advisory for exact patch version numbers and deployment instructions. In parallel, consider organizational controls: disable Copilot Chat if it is not essential to operations, educate users on phishing risks, and implement email and web gateway filtering to reduce delivery of malicious links.
Patch guidance
Microsoft will release patches through Windows Update and the Microsoft Edge auto-update mechanism. Administrators should enable automatic updates for Edge or manually push the latest version through their deployment tools. Verify the patch version against Microsoft's advisory before deploying. Test patches in a non-production environment first, particularly if your organization has custom Edge policies or extensions. Document the patch date and version in your asset management and vulnerability tracking systems.
Detection guidance
Monitor Microsoft Edge application logs and network traffic for unusual data exfiltration patterns originating from Copilot Chat processes. Look for HTTP POST/GET requests to unexpected external domains from msedge.exe or related processes. Endpoint detection and response (EDR) tools should be configured to flag process execution anomalies tied to Edge subprocesses. Log Copilot Chat activity if the feature supports audit trails. Network IDS/IPS signatures targeting CWE-74 injection patterns may detect attack attempts in transit.
Why prioritize this
Although the CVSS score is MEDIUM (6.5), prioritize patching based on your organization's reliance on Edge and Copilot Chat adoption. If Copilot Chat is widely enabled and users frequently interact with external content or AI analysis of sensitive documents, move this to near the top of your patch queue. Conversely, if Edge deployment is limited or the feature is disabled, it can be addressed within a standard monthly patch cycle. The lack of active exploitation in the wild currently provides a small window to patch before opportunistic attacks mature.
Risk score, explained
The CVSS 3.1 score of 6.5 reflects a network-based attack (AV:N) with low complexity (AC:L), no privilege requirement (PR:N), and user interaction needed (UI:R). The impact is high for confidentiality (C:H) but not for integrity (I:N) or availability (A:N), and the scope is unchanged (S:U). This puts it in the MEDIUM band—serious enough to warrant prompt patching and user awareness, but not immediately critical infrastructure-threatening.
Frequently asked questions
Do I need to disable Copilot Chat right now?
Not necessarily. The vulnerability requires user interaction with attacker-controlled content. If your organization can restrict Edge usage to trusted internal sites or enforce strict phishing awareness training, you can tolerate moderate risk while awaiting patches. However, if you operate in a high-risk environment or Copilot Chat is not mission-critical, disabling it is a valid defense-in-depth measure.
Can this vulnerability steal my passwords or credentials?
The vulnerability enables information disclosure, which in principle could include sensitive data visible in the user's Copilot Chat context or the broader Edge application state. However, it does not directly target credential stores or enable arbitrary code execution on the system. That said, if a user has pasted sensitive information into a Copilot Chat conversation, that data is at risk if the injection is successfully exploited.
Is Copilot Chat enabled by default in Microsoft Edge?
Copilot Chat availability and default state vary by Edge version and region. Consult Microsoft's documentation or check your Edge settings. If you are unsure whether it is active in your organization, audit your deployed Edge configurations and consider explicitly disabling it via Group Policy if you do not require the feature.
How is this different from typical XSS vulnerabilities?
While both involve injection of malicious input, this CWE-74 flaw is a generalized injection vulnerability affecting downstream components. It may exploit Copilot Chat's command processing, API calls, or data transformations rather than just web page rendering. The exact attack vector will be clarified in Microsoft's advisory once more details are public.
This analysis is provided for informational and educational purposes. SEC.co does not confirm exploitation in the wild or provide exploit code. Patch version numbers and detailed remediation steps must be verified against Microsoft's official security advisory. Organizations should consult with their security operations and IT teams before implementing any changes. This vulnerability analysis reflects public information as of the stated modification date; further details may emerge as disclosure matures. Source: NVD (public-domain), retrieved 2026-07-13. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10060MEDIUMTRENDnet TEW-432BRP Command Injection—End-of-Life Router Vulnerability
- CVE-2026-10061MEDIUMTRENDnet TEW-432BRP Command Injection Vulnerability – Remediation via Replacement
- CVE-2026-10127MEDIUMEdimax BR-6478AC Command Injection in Firmware 1.23
- CVE-2026-10155MEDIUMSQL Injection in Bdtask Multi-Store Inventory Management System 1.0
- CVE-2026-10166MEDIUMEdimax BR-6478AC Command Injection – Authentication Required
- CVE-2026-10170MEDIUMSQL Injection in code-projects Visitor Management System 1.0
- CVE-2026-10171MEDIUMSQL Injection in code-projects Online Music Site 1.0 AdminUpdateAlbum.php
- CVE-2026-10175MEDIUMCode Injection in Aider-AI Aider 0.86.3 – Exploit Available