CVE-2026-26144 – Microsoft Excel Information Disclosure Vulnerability

This vulnerability affects Microsoft Excel and allows an unauthorized attacker to disclose sensitive information over a network. The issue stems from improper neutralization of input during web page generation, a flaw categorized as Cross-Site Scripting (CWE-79). If successfully exploited, the vulnerability could allow attackers to trigger unintended network activity that leaks confidential information. Microsoft notes that the issue may allow Copilot Agent mode to exfiltrate sensitive data without user interaction, potentially enabling a zero-click information disclosure scenario.

CVSS Score: 7.5
SEVERITY: Important

THREAT:
This vulnerability enables remote attackers to access sensitive information without requiring authentication or user interaction. Because the attack vector is network-based and requires no privileges, attackers could potentially trigger automated data exfiltration processes. In environments using AI-assisted workflows such as Copilot Agent mode, the risk increases because automated processes could unknowingly transmit sensitive corporate data.

EXPLOITS:
At the time of publication, there is no public disclosure of exploit code and no evidence that this vulnerability is actively exploited in the wild. Microsoft assesses exploitation as unlikely and lists exploit code maturity as unproven. No public proof-of-concept exploit has been confirmed.

TECHNICAL SUMMARY:
The vulnerability occurs due to improper neutralization of user-controlled input during web page generation in Microsoft Excel. This type of flaw falls under Cross-Site Scripting (XSS), where malicious content is not correctly sanitized before being processed or rendered. An attacker could craft content that triggers unintended behavior when processed by Excel. In this case, exploitation could cause Copilot Agent mode to send sensitive information through unintended outbound network connections. The attack does not require user interaction and can occur over a network, potentially enabling automated data leakage from affected systems.

EXPLOITABILITY:
This vulnerability affects Microsoft Excel within Microsoft Office environments. The attack requires network access but no user interaction or privileges. An attacker could deliver specially crafted content that Excel processes, triggering unintended outbound data transmissions.

BUSINESS IMPACT:
Information disclosure vulnerabilities are especially dangerous in corporate environments where Excel files often contain financial data, intellectual property, or operational records. If exploited, attackers could silently extract confidential information from internal systems without triggering obvious alerts. Organizations using AI-assisted productivity features may face increased exposure, as automated agents could unintentionally transmit sensitive data outside corporate boundaries.

WORKAROUND:
If patch deployment must be delayed, organizations should restrict outbound network traffic from Office applications and monitor unusual network requests generated by Excel processes. Disabling or limiting AI-driven automation features such as Copilot Agent mode may reduce exposure.