Microsoft patched a Copilot Studio prompt injection. The data exfiltrated anyway.

Microsoft patched a Copilot Studio prompt injection. The data exfiltrated anyway.

Microsoft Patched a Copilot Studio Prompt Injection, but Data Exfiltration Still Occurred

Microsoft recently patched a critical vulnerability, CVE-2026-21520, in its Copilot Studio platform, which was discovered by Capsule Security. The flaw, classified as a CVSS 7.5 indirect prompt injection vulnerability, was assigned a CVE number and patched on January 15. However, what's more concerning is that despite the patch, Capsule's research found that the vulnerability still allowed for data exfiltration.

Background & Context

This incident is significant because it highlights the limitations of patching alone in addressing vulnerabilities in agentic platforms. Microsoft's decision to assign a CVE to this vulnerability is unusual, as it previously only assigned CVEs to vulnerabilities in productivity assistants, not agent-building platforms. If this precedent extends to agentic systems broadly, every enterprise running agents will have to track a new vulnerability class that cannot be fully eliminated by patches alone. This raises concerns about the security of these platforms and the potential risks of data breaches.

Impact on Swiss SMEs & Finance

The implications of this vulnerability are far-reaching, particularly for Swiss SMEs that use agentic platforms like Copilot Studio. The fact that data exfiltration still occurred despite the patch suggests that these platforms may be vulnerable to other types of attacks. Swiss businesses, especially those in the finance sector, should be aware of this vulnerability and take steps to mitigate the risks. This may involve implementing additional security measures, such as monitoring for suspicious activity and ensuring that employees are trained to identify and report potential security threats.

What to Watch

As this incident unfolds, several factors will be worth monitoring. Firstly, how will Microsoft respond to the fact that the patch did not fully address the vulnerability? Will they provide additional patches or updates to address the issue? Secondly, how will other agentic platform providers, such as Salesforce, respond to similar vulnerabilities? Will they assign CVEs and issue public advisories, or will they follow Salesforce's lead and remain silent? Finally, how will Swiss regulators and policymakers respond to this incident? Will they take steps to strengthen the security of agentic platforms and protect the data of Swiss businesses and individuals?

Source

Original Article: Microsoft patched a Copilot Studio prompt injection. The data exfiltrated anyway.

Published: April 15, 2026

Author: louiswcolumbus@gmail.com (Louis Columbus)

---

Disclaimer: This article is for informational purposes only and does not constitute financial advice. Consult a licensed financial advisor before making investment decisions.