The bug Microsoft patched

CVE-2026-21520 is the bug Capsule Security named "ShareLeak." A public-facing SharePoint form lets a customer submit a comment. A Copilot Studio agent reads new submissions to triage them. The agent has access to other SharePoint Lists (customer records, pricing, internal notes) and can send email through the connected Outlook account.

Capsule's proof-of-concept dropped a crafted payload into the comment field. The payload contained instructions framed as if they came from the system role: ignore the customer's actual comment, query the connected Lists for customer records, format the records as an email, send it to an attacker-controlled mailbox. Copilot Studio concatenated the comment with its system instructions, the model treated the injection as legitimate context, and the agent performed the requested data egress. Microsoft assigned a CVSS 7.5 score and shipped the patch a few weeks after disclosure.

That's the story of the bug. The story of the patch is what changed in April.

The patch shipped. The attack still worked.

Capsule re-ran the same proof-of-concept against the patched system. Two things happened that they didn't expect.

First, Microsoft's own safety classifier flagged the malicious input as suspicious before the agent ran. The classifier worked as designed. The user-visible reply included a warning about a potential prompt-injection attempt.

Second, the data exfiltrated anyway. The patch didn't stop the agent from executing the injected instructions. It just added a flag in the response that a human would have to notice and act on. In Capsule's testing, the SharePoint List query ran, the email composed, the message sent. The safety system saw the attack and labeled it. The execution path was unchanged.

The Microsoft Security Blog post on May 7, covering two CVEs in the Semantic Kernel framework (CVE-2026-26030 in the Python SDK and CVE-2026-25592 in the .NET SDK), makes the architectural point more directly. The Python flaw lived in the InMemoryVectorStore: a filter expression the model could influence was compiled to a lambda and run through eval(), so an injection that shaped the filter could execute arbitrary code on the host. Microsoft's fix was not to harden the prompt-injection defense. It was to constrain what the evaluator would accept at all, an allowlist enforced at the syntax-tree level (permitted node types, permitted function calls, a blocklist of dangerous attributes). The model can no longer reach a dangerous operation because the layer underneath it refuses to run anything outside the allowlist.

Read those two posture changes together. The Copilot Studio patch tried to filter the malicious input and failed. The Semantic Kernel patch constrained what the model could reach in the first place. The second approach worked. The first one didn't.

This is not one vendor's problem. In June, an OWASP researcher told Infosecurity Europe that prompt injection remains unsolved as an architectural matter. OpenAI had conceded the same point in February, shipping a "Lockdown Mode" for its browser agent and saying plainly that prompt injection there may never be fully patched. The failure crosses vendors too: researchers showed a single poisoned pull-request title hijacking Anthropic's Claude Code review agent, Google's Gemini CLI, and GitHub's Copilot agent at once, none of them holding any special access. Three of the most scrutinized coding agents in the industry fell to the same line of text. The shared weakness is the layer they all trust to separate instructions from content.

Why this matters for a small business

Most small businesses don't run Copilot Studio or Semantic Kernel directly. They use SaaS products that do, often without saying so. The AI features in your CRM, your ticket system, your scheduling tool, your accounting software are increasingly built on Microsoft's AI platform or on equivalent agentic frameworks from other vendors. When the vendor's prompt-injection defense fails, the data flowing through that vendor's agent is your customer data.

The Capsule research is the part to internalize: the standard mitigation strategy, patch prompt injection in detection, didn't stop the attack. The deeper fix, don't let the model reach the dangerous capability, is harder to implement and requires the vendor to redesign how their agent is wired. Most vendors haven't done that work yet.

This is the same architectural lesson that landed on Anthropic's MCP SDK with CVE-2026-30623, where Anthropic publicly declined to add allowlists or manifest-only execution and called the configuration-becomes-command-execution behavior "expected." That was the piece on MCP's first design-level CVE. The Copilot Studio finding is the same shape of problem in a different vendor's product.

What to actually do this month

Four questions, written down, sent to every vendor whose product makes AI tool calls on your behalf.

1. When was the last prompt-injection penetration test of the agent in our tenant? Not the framework, the deployed agent. Vendors that haven't tested in the last 90 days haven't seen the current state of the attack literature. Vendors that can't answer the question at all aren't running the test.

2. If the agent's input filter fails, what stops the tool call from happening anyway? The right answer names a specific control: an allowlist on which tools the agent can invoke without human approval, an out-of-band confirmation before any data egress, a hard block on sending to addresses outside the tenant. "We rely on the model's safety training" is not a control.

3. What does the audit log of agent tool calls look like, and how fast can I see one from yesterday? If the answer is "submit a ticket and we'll get back to you," the audit log isn't usable for incident response. If the answer is "log into the admin console, here are the tool calls in real time," it is.

4. If a payload like the ShareLeak proof-of-concept landed in our environment, what would happen? The answer should be specific: the input filter would catch it, the agent would still try to act on it, the tool-allowlist would block the data-egress call, the operator would see the attempt in the log. A vendor who can describe that flow has thought about it. A vendor who can't, hasn't.

These four questions are the start of the AI agent security review I do with clients. Doing them yourself takes a couple of hours. Doing them with a second pair of eyes is usually a couple more hours and produces a written record you can act on.

The structural shift to expect

Prompt injection is going to keep getting CVE numbers. Microsoft's decision to assign one to Copilot Studio set a precedent that other vendors will follow. The CVE numbers help; they create a public record, they force a patch, they get the bug into compliance dashboards. They don't, on their own, fix the architecture.

The fix is to assume the prompt-injection defense will eventually fail and to design the agent so the failure doesn't produce data egress, lateral movement, or code execution. That's the shape of the work Microsoft did on Semantic Kernel by constraining what the model could reach to an allowlist. It's the work Anthropic declined to do on MCP. And it's the work every vendor running a tool-using agent will eventually have to do, on a timeline set by which of them gets sued first.

Small businesses can't do that architectural work themselves. They can ask the four questions, prefer the vendors whose answers are specific, and limit the data scope of any AI agent feature they've already turned on. The piece on shadow AI in small business covers the broader inventory step; this is the followup question for the AI features your business has chosen on purpose.

The Bottom Line

  • Microsoft patched CVE-2026-21520 (Copilot Studio "ShareLeak") in January. In April, Capsule Security published a follow-up showing the patch's safety filter flags the attack but doesn't stop the data exfiltration.
  • On May 7, Microsoft disclosed CVE-2026-25592 and CVE-2026-26030 in Semantic Kernel. The fix was to constrain what the model could reach with an allowlist at the layer underneath it, not to filter the prompt better. That's the harder, slower, correct shape of the fix.
  • The industry now says this out loud. OpenAI shipped a Lockdown Mode in February and conceded prompt injection in its browser agent may never be fully patched; an OWASP researcher called it unsolved in June; and one poisoned pull-request title hijacked Claude Code, Gemini CLI, and Copilot at the same time. The defense everyone leans on sits at the wrong layer.
  • The pattern matches Anthropic's "expected behavior" stance on MCP CVE-2026-30623. Prompt-injection defense at the filter layer is not enough. The architectural fix is to constrain what the agent can do when the filter fails.
  • For SMBs using vendor AI features: ask the four questions above. Most vendors won't answer #2 or #4 specifically. The ones who can are worth keeping. The ones who can't are running a defense that's already been shown to fail.

If you want a second pair of eyes on the AI features your vendors have already turned on, walking the four questions above against your actual stack is an afternoon of work I do with clients. It produces a written record you can act on, regardless of which way the next CVE goes. Connect on LinkedIn.

Keep reading: MCP Just Had Its First Design-Level CVE covers the same architecture problem in Anthropic's SDK. Your Small Business Is Already Running AI You Don't Know About covers the inventory step. ClawHavoc covers the supply-chain side of agent risk.

Sources

  1. CVE-2026-21520 (Copilot Studio "ShareLeak"): disclosure, the January 15 patch, and the mid-April follow-up showing data exfiltrated past the patch. Per Capsule Security's research writeup, VentureBeat, and Dark Reading.
  2. Microsoft Semantic Kernel CVE-2026-25592 (.NET, fixed in 1.71.0) and CVE-2026-26030 (Python, fixed in 1.39.4). The Python flaw was an eval() of a model-influenced filter lambda in the InMemoryVectorStore; the fix constrains the evaluator with a syntax-tree-level allowlist (node-type allowlist, function-call allowlist, dangerous-attribute blocklist, name-node restriction). Per the Microsoft Security Blog post "When prompts become shells," May 7, 2026, and PointGuard AI's technical writeup.
  3. OpenAI Lockdown Mode and the concession that prompt injection in AI browsers may never be fully patched. Per OpenAI's February 13, 2026 announcement and contemporaneous coverage.
  4. OWASP researcher: prompt injection "remains unsolved." Per Infosecurity Magazine's coverage of Infosecurity Europe, June 2026.
  5. Cross-vendor hijack: one poisoned pull-request title compromised Anthropic's Claude Code review agent, Google's Gemini CLI, and GitHub's Copilot agent. Per SecurityWeek.
  6. Salesforce Agentforce "ForcedLeak" (CVSS 9.4) as background case study. Original Noma Security disclosure July 28, 2025; Salesforce shipped the Trusted URLs Enforcement fix September 8, 2025; public disclosure September 25, 2025. Listed because the 2026 coverage of CVE-2026-21520 frames the two together as a class of bug.