SearchLeak pushes Copilot permission cleanup up the list
Reviewed by Helen Jones
Varonis disclosed SearchLeak on 15 June 2026, a three-stage vulnerability chain in Microsoft 365 Copilot Enterprise Search. The researchers said a crafted Microsoft 365 link could make Copilot search a user’s mailbox, calendar, SharePoint, and OneDrive content, then leak selected results through an image request. Microsoft remediated the issue as CVE-2026-42824 before disclosure, and no extra customer patch action is required for the fixed flaw.
Before SearchLeak, many small admin teams treated Copilot readiness as a permission-cleanup project they could finish after rollout. Overshared libraries, stale project sites, and old external links were uncomfortable, but they often stayed buried until someone searched for them. The patched flaw shows why that delay is dangerous. Copilot uses the access users already have, so broad permissions and abandoned SharePoint content become part of the AI search surface the moment a user or attacker finds a way to query it.
Analysis
Pick the ten SharePoint sites and Teams with the broadest external or guest access and review them first. Remove stale sharing links, confirm an owner, and record whether each site should be available to Copilot before moving to the long tail.
Pulse published by Collab365 Spaces, reviewed by Helen Jones on . Cite as "SearchLeak pushes Copilot permission cleanup up the list", Collab365 Spaces. 1 source referenced.