Scoopfeeds — Intelligent news, curated.
Copilot searched your mailbox. LiteLLM handed out admin keys. Run this 5-check audit before your stack is next
ai

Copilot searched your mailbox. LiteLLM handed out admin keys. Run this 5-check audit before your stack is next

VentureBeat AI · Jun 18, 2026, 5:42 PM

Why this matters: a development in AI with implications for how people work, create, and decide.

Two AI tools broke in the same way in the same two weeks, and four research teams proved it. The pattern underneath every disclosure is one sentence: enterprise AI accepts external input with no trust boundary. On June 15, Varonis disclosed Search Leak (CVE-2026-42824), a proof-of-concept exfiltration chain in Microsoft 365 Copilot Enterprise Search. A victim clicks a crafted microsoft.com URL, Copilot searches their mailbox, and the data leaves through a Bing SSRF. No plugins, no second click, no visible indicator. Four days earlier, Obsidian Security published a three-CVE chain against LiteLLM that carried a default low-privilege user all the way to admin and remote code execution. Two tools. Two teams. One broken boundary.The five-check audit at the end of this article maps each gap to a CVE or a market signal from June, a command you can run before lunch, and a sentence a CISO can read to the board.Copilot turned a trusted URL into an exfiltration engineSearchLeak chained three weaknesses into a silent data-theft chain. The URL q parameter fed attacker instructions straight to Copilot’s LLM. A rendering race condition fired an image tag before the output sanitizer ran. Bing’s image-search endpoint, allowlisted in the Content Security Policy, routed the stolen data out. Microsoft rated the flaw critical and patched it on the back end, according to Varonis. NVD has not yet scored it; a third-party tracker lists it at 6.5 medium. The severity is contested, but the mechanism is not.The escalation is the real story. This is the third Varonis Copilot exfiltration chain in twelve months, after Reprompt in January and EchoLeak in 2025. Reprompt hit Copilot Personal. SearchLeak hit Enterprise Search. Enterprise inherits the user’s full organizational permissions, so the blast radius is everything that a user can reach.LiteLLM handed a default account to every provider keyThe LiteLLM gateway holds the keys for OpenAI, Anthropic, Azure, and Bedrock behind a single proxy. Th

Article preview — originally published by VentureBeat AI. Full story at the source.
Read full story on VentureBeat AI → More top stories

More in ai

TechCrunch AI
AI inference startup Baseten reportedly raising $1.5B months after its last mega round
Wired
The White House Is Making Up Its Rules for AI in Real Time
TechCrunch AI
OpenAI is bringing on some big guns in the lead-up to its IPO
Wired
44 Best Father’s Day Gifts for Dads (2026)
Wired
Meta’s AI Workers Are Revolting, Peter Thiel’s Secret Society, and SBF’s Plea to Trump

Browse all ai coverage →

Aggregated and edited by the Scoop newsroom. We surface news from VentureBeat AI alongside other reporting so you can compare coverage in one place. Editorial policy · Corrections · About Scoop