Microsoft’s March 2026 Patch Tuesday closed with a flaw that bridges two worlds: an old web-security problem, cross-site scripting, and the new layer of AI agents now baked into office apps. The vulnerability is CVE-2026-26144, an information-disclosure bug in Microsoft Excel that Microsoft rated Critical, its highest mark in the March batch, even though it is formally a disclosure issue rather than code execution.
What the vulnerability is
At its core sits a cross-site scripting (XSS) flaw. An attacker crafts a spreadsheet whose content, once processed, injects and runs in a context where it shouldn’t. On its own that would be serious but contained. What raises the stakes is the pairing with the Copilot agent built into the Office environment.
When the XSS is chained with that agent, an attacker can read and pull out the user’s sensitive data without the victim deliberately opening anything dangerous or accepting any prompt. That is why it counts as a zero-click attack: nobody has to click, confirm, or run anything for data to start leaving. The AI assistant itself, with its permissions to read content and act on it, becomes the exfiltration channel.
This pattern is what worries Microsoft and the people who research this area. AI agents have broad access to documents, mail, and user data, and they reason over content that can come from untrusted sources. A classic application bug, combined with those permissions, reaches much further than it would alone.
Who is affected and how serious it is
The affected product is Microsoft Excel, part of the Office suite. The Critical rating Microsoft assigned is unusual for an information-disclosure flaw: it signals that a successful exploit could expose highly sensitive data. Any organization that pairs Excel with Copilot features should treat this as a priority.
No attacks using the flaw were reported at the time of publication. Even so, the zero-click nature and the use of a legitimate component as the vector make it particularly awkward: there is no obvious suspicious behavior to warn the user.
Mitigation
The answer is the usual Patch Tuesday one: apply Microsoft’s March 2026 updates. The fix for CVE-2026-26144 shipped in that batch, alongside the month’s other flaws. In managed environments, roll it out promptly to every machine running Office, paying attention to Excel installations and to setups where Copilot can read documents.
As a deeper measure, review what permissions and what content sources your AI agents have. An assistant that processes files arriving by email or downloaded from the internet inherits the risk of any flaw in those documents.
This was not the only Critical issue of the month. The same Patch Tuesday fixed an RCE in Office exploitable through the preview pane and a SQL Server zero-day that allowed escalation to sysadmin. If you manage Windows machines, review them together.