Researchers have already found a critical vulnerability in the new NLWeb protocol Microsoft made a big deal about just just a few months ago at Build. Discovery of the embarrassing security flaw comes in the early stages of Microsoft deploying NLWeb with customers like Shopify, Snowlake, and TripAdvisor. The flaw allows any remote users to read sensitive files, including system configuration files and even OpenAI or Gemini API keys. Guan and Wang reported the flaw to Microsoft on May 28th, just weeks after NLWeb was unveiled. The security researchers have been pushing Microsoft to issue a CVE, but the company has been reluctant to do so.