CVE-2026-42824 Chained Prompt Injection with SSRF Race in Copilot Enterprise Search

Varonis researchers chained three weaknesses: Copilot treating the q parameter as executable instructions, a streaming render race that fired <img> tags before <code> wrapping completed, and CSP allowlisting of *.bing.com that turned Bing's image analysis endpoint into an unwitting exfiltration proxy. The attack required one click on a legitimate microsoft.com domain and inherited full Graph scope of the victim session, exposing one-time codes, indexed SharePoint files, and calendar data.

Contract awards and prior disclosures show the pattern predates this CVE. EchoLeak (CVE-2025-32711) demonstrated zero-click variants against the same managed service; Reprompt showed identical one-click flows in the Personal tier. Microsoft rated the flaw 6.5 while NVD scored 7.5, exposing inconsistent severity models for AI surfaces where prompt injection re-animates legacy web bugs.

Procurement records indicate Copilot Enterprise was rolled out to tenants before equivalent red-team coverage of its Graph connectors and response streaming path. Backend mitigation removed the vectors server-side, yet tenant logs contain no new signals for attempted exploitation.

Next disclosures will likely target remaining Bing allowlists and streaming render paths in other Microsoft AI products; independent verification of patch completeness requires tenant-side telemetry that is not yet published.