Notebookcheck Logo

Microsoft Copilot: Websites could secretly issue commands to the AI

Hand holding a smartphone with a glowing screen in the dark
ⓘ Towfiqu barbhuiya / Pexels
A malicious website could silently send prompts to Copilot via Microsoft Edge for Android. Microsoft patched the flaw on Patch Tuesday.
Microsoft has patched a critical flaw in the Copilot apps for Android and iOS. A malicious website could push commands to the AI through Microsoft Edge without the user noticing. It is rated 9.6 out of 10, and Microsoft says it was never exploited.

Microsoft fixed a critical vulnerability in Copilot on Patch Tuesday, July 14. Tracked as CVE-2026-48561, it carries a CVSS score of 9.6 out of 10, which puts it among the most severe entries of the month. Ofek Levin of the security firm Enclave reported it.

All it took was a website

The attack route ran through the browser. According to Microsoft, an attacker could host a malicious website that tricks Microsoft Edge for Android into firing crafted prompts at Copilot on the device. Visiting the page was enough.

The real problem was in how those requests were handled. The affected component took them without asking for confirmation and never checked where they came from, so the prompts went through without the user noticing. Microsoft says the result could be unintended actions in Copilot, such as reading or changing data. It classifies the flaw as command injection.

These apps are listed in the advisory

Microsoft names two affected products, Microsoft 365 Copilot for iOS and Microsoft 365 Copilot for Android. The description of the attack, though, mentions only Edge for Android. Microsoft leaves that gap unexplained.

Something else stands out. The update links in the advisory do not point to a Copilot app on either platform. They point to Microsoft Edge in the App Store and on Google Play. Microsoft never names a build number that contains the fix, and the release notes for Edge Mobile do not mention the flaw either. The latest version for Android and iOS, 150.0.4078.65, shipped on July 13.

What you should do now

First, the good news. The flaw was not public before Patch Tuesday, and Microsoft says it was never exploited. No working exploit exists, and Microsoft itself rates exploitation as less likely. It does not appear on CISA’s list of known exploited vulnerabilities.

Since Microsoft will not name a version, the practical move is the simple one. Keep the Copilot app and Microsoft Edge current on your phone, through the Play Store on Android or the App Store on iOS. And if you never use Copilot on your phone, just delete it.

Not the first case of this kind

Attacks that slip in between users and their AI assistants are becoming more common. In late June, ad blockers in disguise turned up that could read chats with ChatGPT and Gemini. If you want to know what your AI assistants store about you and how to switch it off, our overview of the storage settings walks through it. And if you would rather keep Copilot out of your workday, you can disable Copilot and Facilitator in Microsoft Teams.

Google LogoAdd as a preferred source on Google
Mail Logo
static version load dynamic
Loading Comments
Comment on this article
> Expert Reviews and News on Laptops, Smartphones and Tech Innovations > News > News Archive > Newsarchive 2026 07 > Microsoft Copilot: Websites could secretly issue commands to the AI
Steffen Zahn, 2026-07-15 (Update: 2026-07-15)