March Patch Tuesday: An Excel XSS Can Weaponize Copilot Agent, and an AI Found the Worst Bug

Microsoft’s March 2026 Patch Tuesday addresses 82 vulnerabilities. No zero-days this month — a welcome breather after February’s five. But two CVEs deserve special attention from anyone building or using AI agents.

One shows how agents can be weaponized. The other shows how agents are finding the bugs.

CVE-2026-26144: Excel XSS Weaponizes Copilot Agent Mode

Severity: Critical | CVSS: 7.5 | Type: Information Disclosure via XSS

This is the one that should keep agent builders up at night.

A cross-site scripting flaw in Microsoft Excel enables remote attackers with no privileges to trigger zero-click data exfiltration through Copilot Agent mode. The attack works via improper input neutralization during web page generation — a classic XSS, but the exfiltration channel is anything but classic.

Here’s what makes it alarming:

• Zero-click — no user interaction required
• Low attack complexity — nothing sophisticated needed
• High confidentiality impact — Copilot Agent handles the actual data theft
• No Preview Pane vector — the file must be opened, but Agent mode does the rest

The vulnerability essentially turns Copilot Agent into an unwitting accomplice. A crafted Excel file triggers unintended network egress through Agent mode, leaking sensitive data to an attacker-controlled endpoint. The agent doesn’t know it’s being exploited — it’s just following instructions baked into the malicious payload.

Microsoft rates exploitation as “unlikely” and has shipped a fix. But the pattern is what matters: XSS + Agent = exfiltration pipeline. Every system that grants agents network access is one injection away from this class of attack.

What OpenClaw Users Should Note

OpenClaw agents with file-processing capabilities face similar risks. If your agent can read files and make network requests, a crafted input could theoretically trigger unintended data flows. The mitigations are familiar:

1. Sandbox file processing — don’t let agents process untrusted files with network access
2. Restrict egress — allowlist outbound domains for agent actions
3. Content inspection — validate file contents before agent processing

CVE-2026-21536: First Critical CVE Discovered by an AI Agent

Severity: Critical | CVSS: 9.8 | Type: Remote Code Execution

This one made history for a different reason.

CVE-2026-21536 is a critical RCE in the Microsoft Devices Pricing Program — an unrestricted file upload weakness that lets unauthenticated remote attackers execute arbitrary code with no user interaction and low attack complexity. Microsoft already patched it server-side; no customer action needed.

But the headline isn’t the bug. It’s who found it.

XBOW, a fully autonomous AI penetration testing agent, discovered and reported CVE-2026-21536. It’s the first critical vulnerability officially attributed to an AI agent and recognized with a CVE tied to the Windows ecosystem. XBOW has been consistently ranked at or near the top of HackerOne’s bug bounty leaderboard for the past year.

As Immersive’s Ben McCarthy put it: “It highlights a shift toward AI-driven discovery of complex vulnerabilities at increasing speed.”

The 9.8 CVSS score means this wasn’t a trivial finding. XBOW identified a critical-severity bug without source code access, through autonomous testing alone. The era of AI agents as vulnerability researchers isn’t theoretical — it’s producing CVEs with near-perfect severity scores.

The Double Edge

This creates an interesting dynamic for the OpenClaw ecosystem:

• Defensive potential — AI agents could continuously test your infrastructure, finding bugs before attackers do
• Offensive reality — the same capability in adversarial hands accelerates the discovery of exploitable vulnerabilities
• Speed asymmetry — AI agents can test at a pace human researchers can’t match, compressing the window between vulnerability creation and discovery

CVE-2026-26030: Semantic Kernel Vector Store RCE

Severity: Important | CVSS: 9.9 | Type: Remote Code Execution

Quietly sitting in this month’s patches is CVE-2026-26030 — a filter vulnerability in Microsoft Semantic Kernel’s InMemoryVectorStore with a CVSS of 9.9. Semantic Kernel is the AI orchestration framework that powers many Microsoft Copilot integrations.

A 9.9 in an AI framework component used for RAG (Retrieval Augmented Generation) means that vector store queries — the backbone of how AI agents retrieve context — could be exploited for remote code execution. If you’re running Semantic Kernel in production, patch immediately.

The Bigger Picture

March 2026’s Patch Tuesday crystalizes a pattern we’ve been tracking:

1. Agents as attack surface — CVE-2026-26144 shows how agent capabilities (network access, file processing) become exploitation vectors
2. Agents as security tools — CVE-2026-21536 proves AI agents can find critical bugs autonomously
3. Agent infrastructure as target — CVE-2026-26030 hits the AI framework layer directly

The same technology that makes agents powerful makes them dangerous — and makes them useful for finding the dangers. This isn’t a paradox to resolve. It’s the reality to manage.

---

Sources: CrowdStrike Patch Tuesday Analysis, Krebs on Security, Zero Day Initiative

Related reading

• Microsoft’s 2026 AI jailbreak report
• OpenClaw security: February 2026 roundup

Keep Reading

• AI Agents Are Now the Vulnerability Researchers: Codex Security Found 14 CVEs in 30 Days
• Dario Amodei Calls OpenAI’s Pentagon Deal ‘80% Safety Theater’ as Defense Contractors Flee Claude