The flaw, tracked as CVE-2024-38206, allows an authenticated attacker to bypass SSRF protection and leak information over a network. A researcher at Tenable discovered the vulnerability, which exploits Copilot’s ability to make external web requests.