Microsoft 365 Copilot and LiteLLM exposed the same vulnerability pattern in consecutive weeks. Both tools accepted external input without validating trust boundaries, creating exploitable attack chains.
On June 15, Varonis disclosed SearchLeak (CVE-2026-42824), a flaw in Copilot Enterprise Search that allowed attackers to exfiltrate mailbox data through a single click. A victim opens a crafted Microsoft URL, Copilot automatically searches their email, and results leak via a Bing server-side request forgery (SSRF). No plugin installation required. No second confirmation. No user warning.
Four days prior, Obsidian Security published three CVEs against LiteLLM, a popular open-source LLM proxy framework. The vulnerability chain escalated low-privilege users to administrator access, enabling remote code execution. Both breaches shared the same root cause: enterprise AI systems processed untrusted input without enforcing isolation.
The SearchLeak disclosure showed Copilot treated any externally-sourced search query as legitimate. An attacker only needed the victim to click a link. LiteLLM's flaw stemmed from accepting HTTP headers that should have been restricted to internal systems only. Neither tool implemented proper input validation or context boundaries.
Four security research teams independently documented these patterns across different AI platforms, suggesting the issue spans the entire enterprise AI stack. Default configurations often trust external sources. Authentication checks frequently miss lateral requests. Many tools conflate user identity with admin capability.
Organizations running these tools should immediately audit five critical areas: input validation on all external API calls, trust boundaries between user contexts, default permissions on service accounts, SSRF protections on outbound requests, and whether AI tools can access data without explicit user action.
The pattern matters more than individual CVEs. Enterprise AI adoption outpaced security