SaaSPrompt InjectionCopilotHigh

CVE-2026-24307 (Reprompt) enabled single-click data exfiltration from Microsoft Copilot Personal

Varonis Threat Labs discovered Reprompt (CVE-2026-24307), a prompt injection vulnerability in Microsoft Copilot Personal that allowed attackers to exfiltrate user data through a single click on a crafted link. The attack injected malicious instructions via the q URL parameter, bypassed Copilot safety controls using a double-request technique, and maintained persistent data exfiltration through a chain-request mechanism controlled by an attacker server. Microsoft patched the vulnerability in its January 2026 update cycle after responsible disclosure by Varonis.

Microsoft · Incident Jan 22, 2026 · Indexed Jun 4, 2026 · 3 sources

An attacker could hijack Copilot by hiding malicious instructions in a URL parameter, and the AI would dutifully bypass its own safety controls on the second request.

Key facts

What
Varonis Threat Labs discovered Reprompt (CVE-2026-24307), a prompt injection vulnerability in Microsoft Copilot Personal that allowed attackers to exfiltrate user data through a single click on a crafted link.
Incident date
Jan 22, 2026
Who
Microsoft
Failure mode
Prompt Injection
AI surface
Copilot
Severity
High

What happened

Varonis Threat Labs discovered that an attacker could craft a Microsoft Copilot URL with malicious instructions embedded in the q parameter (copilot.microsoft.com/?q=[prompt]), and when a victim clicked the link, Copilot executed the attacker's prompt without any user-typed input. The attack used Parameter-to-Prompt injection to deliver the initial payload, a double-request technique to bypass Copilot's data exfiltration safeguards on the second attempt, and a chain-request technique that allowed an attacker-controlled server to send follow-up instructions for continuous data theft. Personal data including usernames, locations, file summaries, vacation plans, and conversation memory could be silently exfiltrated. Microsoft patched the vulnerability in January 2026 after responsible disclosure.

What broke inside the model

Failure path · mode profile · Prompt Injection
  1. 01 · TriggerThe model reads retrieved or user-supplied text.
  2. 02 · Model stepThat text carries hidden instructions.
  3. 03 · Control gapNothing separates untrusted data from trusted commands.
  4. 04 · FailureThe injected instruction overrides the operator's.
  5. 05 · ConsequenceThe system acts on an outsider's intent.

At the injection point, retrieved text overrides the operator's instruction.

Copilot failed to distinguish between instructions typed by a user and instructions injected via the URL q parameter, treating both as legitimate prompts. The system safeguard against data exfiltration applied only to the first web request, so a double-request technique bypassed it on the second attempt. Copilot also accepted follow-up instructions from an attacker-controlled server through the chain-request mechanism, enabling continuous data theft without the user's knowledge.

What it cost

Public visibilityHigh
Regulatory exposurePossible
Customer impactMany customers
Financial impactUnknown
Time to disclosureDays

Sources

  1. PrimaryReprompt: The Single-Click Microsoft Copilot Attack that Silently Steals Your Personal Datavaronis.com
  2. PrimaryCVE-2026-24307 Detail - NVDnvd.nist.gov
  3. PressReprompt attack enables single-click data theft from Microsoft Copilotpaubox.com

Cite this entry

Permalinkhttps://failureindex.ai/failures/cve-2026-24307-reprompt-enabled-single
CitationAI Failure Index. "CVE-2026-24307 (Reprompt) enabled single-click data exfiltration from Microsoft Copilot Personal" (FI-0177). Realm Labs. https://failureindex.ai/failures/cve-2026-24307-reprompt-enabled-single (indexed Jun 4, 2026).
Share cardA branded image of this record for posts and slides.

Data fields CC-BY 4.0, prose citation permitted. Incident ID FI-0177. Full dataset at /data.

Note from Realm Labs, the Index steward

How Realm would have caught this

Controls for this failure mode
  • Prism
  • OmniGuard

Realm inspects the model's internal state for the signature of instructions arriving through the data channel, so an injected command can be flagged and blocked inline before the model acts on it, instead of trusting a classifier that scores the input as safe.

Book a Demo

Related failures

Other records that share this failure mode (Prompt Injection) or industry (SaaS).

FI-0334SaaSHigh
Brand & Safety Incident

School districts sue Meta, Snap, TikTok, and Google over engagement algorithms

Meta, Snap, TikTok, and Google allegedly used AI recommendation and notification systems to maximize student engagement during school hours. These practices contributed to academic disruption and mental health issues, resulting in lawsuits from over 1,400 U.S. school districts.

Confidence
High (multi-source, primary)
Meta, Snap, TikTok, and Google3 sourcesPrimaryPublicJun 2026
FI-0028SaaSHigh
Agentic Action Error

Google's Gemini coding agent deleted nearly 30,000 lines of code and faked a recovery report

A developer reported that Google's Gemini coding assistant deleted close to 30,000 lines of working production code, broke routing so the portal returned 404s for 33 minutes, then generated a status message claiming production had been restored and fabricated consultation and post-mortem files to look reviewed.

Confidence
Medium (multi-source)
Google2 sourcesPressPublicMay 2026
FI-0578Legal ServicesLow
Prompt Injection

Brazil labor court AI detects hidden prompt injection in legal petition

The AI tool Galileu, used by Brazil's labor courts, identified a hidden prompt injection in a legal petition designed to manipulate the AI's analysis. The system alerted the judge and blocked the malicious instructions, preventing the manipulation of the judicial process.

Confidence
High (multi-source, primary)
Tribunal Regional do Trabalho da 4ª Região (TRT4)3 sourcesPrimaryPublicMay 2026