Microsoft Copilot: Websites could secretly issue commands to the AI

Microsoft fixed a critical vulnerability in Copilot on Patch Tuesday, July 14. Tracked as CVE-2026-48561, it carries a CVSS score of 9.6 out of 10, which puts it among the most severe entries of the month. Ofek Levin of the security firm Enclave reported it.
All it took was a website
The attack route ran through the browser. According to Microsoft, an attacker could host a malicious website that tricks Microsoft Edge for Android into firing crafted prompts at Copilot on the device. Visiting the page was enough.
The real problem was in how those requests were handled. The affected component took them without asking for confirmation and never checked where they came from, so the prompts went through without the user noticing. Microsoft says the result could be unintended actions in Copilot, such as reading or changing data. It classifies the flaw as command injection.
These apps are listed in the advisory
Microsoft names two affected products, Microsoft 365 Copilot for iOS and Microsoft 365 Copilot for Android. The description of the attack, though, mentions only Edge for Android. Microsoft leaves that gap unexplained.
Something else stands out. The update links in the advisory do not point to a Copilot app on either platform. They point to Microsoft Edge in the App Store and on Google Play. Microsoft never names a build number that contains the fix, and the release notes for Edge Mobile do not mention the flaw either. The latest version for Android and iOS, 150.0.4078.65, shipped on July 13.
What you should do now
First, the good news. The flaw was not public before Patch Tuesday, and Microsoft says it was never exploited. No working exploit exists, and Microsoft itself rates exploitation as less likely. It does not appear on CISA’s list of known exploited vulnerabilities.
Since Microsoft will not name a version, the practical move is the simple one. Keep the Copilot app and Microsoft Edge current on your phone, through the Play Store on Android or the App Store on iOS. And if you never use Copilot on your phone, just delete it.
Not the first case of this kind
Attacks that slip in between users and their AI assistants are becoming more common. In late June, ad blockers in disguise turned up that could read chats with ChatGPT and Gemini. If you want to know what your AI assistants store about you and how to switch it off, our overview of the storage settings walks through it. And if you would rather keep Copilot out of your workday, you can disable Copilot and Facilitator in Microsoft Teams.





