CVE-2026-55051: Install Final SharePoint 2016/2019 Security Fix

Microsoft has patched CVE-2026-55051, a SharePoint Server information-disclosure vulnerability that lets an authenticated attacker use server-side request forgery to obtain sensitive data over a network. The flaw affects SharePoint Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition, making the July 14 security updates a priority for every remaining on-premises farm.
Detailed in Microsoft’s Security Update Guide and corroborated by the National Vulnerability Database, CVE-2026-55051 carries a CVSS 3.1 score of 6.5 and a severity rating of Important. Microsoft describes the vulnerability as confirmed but says it was neither publicly disclosed nor known to be exploited when the advisory was published on July 14, 2026.

Infographic showing an SSRF attack compromising an on-premises SharePoint server farm and internal services.A Low-Privilege Account Can Reach Beyond SharePoint​

CVE-2026-55051 is classified as CWE-918, or server-side request forgery—usually shortened to SSRF. Instead of directly accessing protected information, an attacker causes the vulnerable SharePoint server to make a request on the attacker’s behalf.
That distinction matters in enterprise networks. A SharePoint server may be able to communicate with internal applications, management interfaces, metadata services, or other resources that are unreachable from an ordinary user workstation or the public internet. An SSRF flaw can potentially turn that trusted network position into a route for retrieving information.
Microsoft’s CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. In practical terms, the attack can be conducted over a network, requires little attack complexity, and does not require another user to open a document or click a link.
The attacker does need an authorized account with low-level privileges. That requirement keeps the base score below the Critical range, but it should not be mistaken for a strong barrier in environments where SharePoint access is widely granted, guest identities are supported, or credentials may already have been compromised through phishing or password spraying.
The scoring also identifies confidentiality as the sole direct impact. Microsoft has not attributed data modification, service disruption, or remote code execution to CVE-2026-55051 itself. Administrators should therefore treat it as a focused disclosure issue rather than conflate it with the separate SharePoint remote-code-execution vulnerabilities included in the same July release.

Three SharePoint Generations Need Different Updates​

Microsoft lists affected builds across all three on-premises SharePoint product lines. Systems below the following versions remain vulnerable:
  • SharePoint Enterprise Server 2016 is affected below build 16.0.5561.1001.
  • SharePoint Server 2019 is affected below build 16.0.10417.20175.
  • SharePoint Server Subscription Edition is affected below build 16.0.19725.20434.
The corresponding July packages are KB5002891 for SharePoint Server 2016, KB5002883 for SharePoint Server 2019, and KB5002882 for SharePoint Server Subscription Edition. Microsoft’s July 2026 Office update index also lists related language-pack updates where applicable.
For Subscription Edition, KB5002882 is a large cumulative security release rather than a single-purpose fix. It addresses CVE-2026-55051 alongside numerous SharePoint and Word vulnerabilities, including remote-code-execution, spoofing, security-feature-bypass, elevation-of-privilege, and additional information-disclosure issues. The package replaces KB5002873.
Microsoft also says KB5002882 fixes a nonsecurity regression that prevented SharePoint 2010 workflows from starting after installation of the June 2026 update. Farms affected by that regression therefore have an operational reason, in addition to the security case, to move to the July build.
SharePoint administrators should follow the full farm-upgrade process rather than regard installation of the package as the final step. Updates must be deployed consistently across the farm, followed by the required SharePoint Products Configuration Wizard or PSConfig work so that binaries, configuration data, and databases reach the intended patch level.

Workflow Manager Complicates the Maintenance Window​

Microsoft’s update documentation includes prerequisites for farms using SharePoint Workflow Manager. Administrators running that component must install Workflow Manager update KB5002799 before applying the SharePoint cumulative update.
Farms still using the Classic version of Workflow Manager require an additional compatibility setting. Microsoft instructs administrators to add server debug flag 53601 to the farm and reset IIS so that Classic Workflow Manager can continue operating.
Subscription Edition also has a known post-update instruction involving actor-token audience validation. After running PSConfig, Microsoft says administrators should set DisableActorTokenAudienceValidation to $true and update the farm. The company describes the affected validation as a defense-in-depth feature still under development and says existing actor-token validation checks remain active.
That instruction deserves attention during change control. It is not a substitute for the CVE-2026-55051 fix, nor does it mean administrators should skip the July package. It is a documented workaround for a regression associated with an additional protection included in the update.
Before deployment, farm owners should inventory workflow dependencies, custom solutions, authentication integrations, and servers that may have drifted from the farm’s current patch baseline. Afterward, they should verify the installed build on every SharePoint server, confirm that the configuration upgrade completed, and test workflows and authentication paths.

The Final Patch Arrives as 2016 and 2019 Leave Support​

The timing is unusually consequential for older farms. Microsoft’s lifecycle documentation places the end of extended support for both SharePoint Server 2016 and SharePoint Server 2019 on July 14, 2026, the same date these updates were released.
That makes the July packages the final scheduled security baseline for those fixed-lifecycle products unless Microsoft announces an exceptional servicing arrangement. Installing KB5002891 or KB5002883 closes CVE-2026-55051, but it does not extend the supported life of either platform.
Organizations keeping SharePoint 2016 or 2019 online now face two separate tasks: deploy the last available fixes and accelerate migration. Moving to SharePoint Server Subscription Edition preserves an on-premises model with continuing servicing, while SharePoint Online shifts more of the patching responsibility to Microsoft. The correct destination will depend on data residency, customization, authentication, and operational requirements, but remaining indefinitely on an unsupported internet-facing SharePoint farm is the riskiest option.
CVE-2026-55051 is not reported as a zero-day, and Microsoft’s assessment does not indicate active exploitation. Its combination of low attack complexity, network reachability, and high confidentiality impact nevertheless gives administrators little reason to postpone remediation—particularly where many users hold SharePoint accounts.
The immediate job is to install the correct July 14 package, complete the farm configuration upgrade, and confirm the resulting build. For SharePoint Server 2016 and 2019, that verified patch state should become the starting point for retirement rather than the end of the security plan.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Related coverage: caloes.ca.gov
  3. Related coverage: windowscentral.com
  4. Related coverage: techradar.com
  5. Related coverage: tomshardware.com
  6. Related coverage: pcgamer.com
 

Back
Top