Microsoft has fixed CVE-2026-55021, an Important-rated SharePoint Server spoofing vulnerability that allows an authenticated attacker to inject malicious content into web pages and potentially compromise data viewed or submitted by another user. The flaw affects supported on-premises releases of SharePoint Server and was patched in Microsoft’s July 14, 2026 security updates.
Detailed in the Microsoft Security Response Center’s July Patch Tuesday advisory, CVE-2026-55021 is a cross-site scripting vulnerability caused by improper neutralization of input during web-page generation. An attacker needs a valid SharePoint account and user interaction, but exploitation can occur remotely over a network.
Administrators should install the July SharePoint security update that corresponds to their deployed version and complete the SharePoint farm upgrade process. Simply copying update files or patching one server does not finish maintenance for a multi-server farm.
Microsoft describes CVE-2026-55021 as a spoofing vulnerability, while the underlying weakness is classified as CWE-79, or cross-site scripting. In practical terms, SharePoint does not safely neutralize certain attacker-controlled input before incorporating it into a generated page.
A successful attack could cause a trusted SharePoint site to present content supplied by the attacker. Depending on the affected page and the victim’s permissions, that content could misrepresent SharePoint data, redirect users, capture information entered into a fraudulent interface, or execute script within the site’s security context.
This is not an unauthenticated internet-to-server compromise. Microsoft’s CVSS vector specifies low privileges, meaning the attacker must already hold some level of authorized access to the SharePoint environment. The attack also requires a victim to interact with the crafted content.
Those requirements reduce the likelihood of indiscriminate exploitation, but they do not make the issue harmless. SharePoint farms frequently serve large employee populations, contractors, partner organizations, and departmental site owners. A compromised low-privilege account can therefore provide an attacker with both an entry point and a pool of higher-value users to target.
The distinction between server spoofing and ordinary phishing also matters. Users may be more willing to trust a page delivered from an organization’s legitimate SharePoint hostname, particularly when they reached it through an internal link or Microsoft 365 application. Security controls that rely largely on domain reputation can similarly struggle when the malicious content is presented through an approved business system.
The affected-product list is limited to on-premises SharePoint Server. Microsoft does not identify SharePoint Online as vulnerable to CVE-2026-55021, and cloud tenants do not deploy these server packages themselves.
CVE-2026-55021 carries a CVSS 3.1 base score of 8.1. Its vector,
The “confirmed” report-confidence component in Microsoft’s scoring data should not be confused with evidence of attacks. It means Microsoft has confirmed the vulnerability and the credibility of its technical assessment. It does not mean exploitation has been observed in production environments.
The CISA-provided SSVC data attached to the public CVE record listed exploitation as “none” on July 14. There was therefore no public indication at publication time that CVE-2026-55021 was being actively exploited, although that status can change after technical details and patches become widely available.
That broader coverage makes selective treatment of the spoofing flaw impractical. Administrators are deploying a cumulative SharePoint package rather than a narrow standalone correction, so the usual testing for farm customizations, web parts, authentication integrations, search, and workflows remains necessary.
Microsoft warns organizations using SharePoint Workflow Manager to install Workflow Manager update KB5002799 before applying the SharePoint cumulative update. Farms using the older Classic Workflow Manager also need Microsoft’s documented server debug flag to preserve workflow operation.
KB5002882 additionally fixes a regression that prevented SharePoint 2010 workflows from starting after installation of the June 2026 update. That fix may make July’s package particularly important for farms that delayed June’s update because of workflow failures.
The Subscription Edition update has a known post-installation step involving the
These prerequisites reinforce why SharePoint servicing is more involved than a routine Windows cumulative update. Every server in the farm should receive the applicable binaries, and administrators must then run the SharePoint Products Configuration Wizard or
Internet-facing farms deserve priority, but CVE-2026-55021 also presents a meaningful internal threat. An attacker who has obtained employee credentials through password reuse, token theft, phishing, or another compromised application could use an internal SharePoint site to target users with greater privileges.
Security teams should review recent SharePoint content changes and audit activity for unexpected pages, scripts, embedded frames, redirects, or modifications made by accounts that normally have limited publishing responsibilities. Web application firewall alerts and browser telemetry may help identify script injection attempts, though those controls are not substitutes for installing Microsoft’s update.
Organizations should also test pages created by custom solutions after patching. Cross-site scripting corrections often tighten input validation or output encoding, which can expose unsupported assumptions in legacy web parts and internally developed extensions. A broken customization should be repaired rather than used as justification for leaving the farm on a vulnerable build.
CVE-2026-55021 is not currently presented as an unauthenticated zero-day, but its network reach, low attack complexity, and potentially high confidentiality and integrity impact justify prompt deployment. For SharePoint administrators, the concrete finish line is a farm at build 16.0.5561.1001, 16.0.10417.20175, or 16.0.19725.20434 as applicable, with PSConfig completed and workflow prerequisites verified.
Detailed in the Microsoft Security Response Center’s July Patch Tuesday advisory, CVE-2026-55021 is a cross-site scripting vulnerability caused by improper neutralization of input during web-page generation. An attacker needs a valid SharePoint account and user interaction, but exploitation can occur remotely over a network.
Administrators should install the July SharePoint security update that corresponds to their deployed version and complete the SharePoint farm upgrade process. Simply copying update files or patching one server does not finish maintenance for a multi-server farm.
Authenticated Access Still Leaves a Wide Attack Surface
Microsoft describes CVE-2026-55021 as a spoofing vulnerability, while the underlying weakness is classified as CWE-79, or cross-site scripting. In practical terms, SharePoint does not safely neutralize certain attacker-controlled input before incorporating it into a generated page.A successful attack could cause a trusted SharePoint site to present content supplied by the attacker. Depending on the affected page and the victim’s permissions, that content could misrepresent SharePoint data, redirect users, capture information entered into a fraudulent interface, or execute script within the site’s security context.
This is not an unauthenticated internet-to-server compromise. Microsoft’s CVSS vector specifies low privileges, meaning the attacker must already hold some level of authorized access to the SharePoint environment. The attack also requires a victim to interact with the crafted content.
Those requirements reduce the likelihood of indiscriminate exploitation, but they do not make the issue harmless. SharePoint farms frequently serve large employee populations, contractors, partner organizations, and departmental site owners. A compromised low-privilege account can therefore provide an attacker with both an entry point and a pool of higher-value users to target.
The distinction between server spoofing and ordinary phishing also matters. Users may be more willing to trust a page delivered from an organization’s legitimate SharePoint hostname, particularly when they reached it through an internal link or Microsoft 365 application. Security controls that rely largely on domain reputation can similarly struggle when the malicious content is presented through an approved business system.
Three On-Premises SharePoint Releases Need Updates
The CVE record identifies Microsoft SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition as affected. Microsoft’s published fixed-build thresholds are:- SharePoint Enterprise Server 2016 installations earlier than build 16.0.5561.1001 are affected.
- SharePoint Server 2019 installations earlier than build 16.0.10417.20175 are affected.
- SharePoint Server Subscription Edition installations earlier than build 16.0.19725.20434 are affected.
The affected-product list is limited to on-premises SharePoint Server. Microsoft does not identify SharePoint Online as vulnerable to CVE-2026-55021, and cloud tenants do not deploy these server packages themselves.
CVE-2026-55021 carries a CVSS 3.1 base score of 8.1. Its vector,
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N, reflects a network-reachable attack with low complexity, required low-level privileges, and required user interaction. Microsoft rates the potential confidentiality and integrity effects as high, while assigning no direct availability impact.The “confirmed” report-confidence component in Microsoft’s scoring data should not be confused with evidence of attacks. It means Microsoft has confirmed the vulnerability and the credibility of its technical assessment. It does not mean exploitation has been observed in production environments.
The CISA-provided SSVC data attached to the public CVE record listed exploitation as “none” on July 14. There was therefore no public indication at publication time that CVE-2026-55021 was being actively exploited, although that status can change after technical details and patches become widely available.
The July Cumulative Update Carries Operational Conditions
For SharePoint Server Subscription Edition, KB5002882 installs build 16.0.19725.20434 and replaces KB5002873. Microsoft says the package addresses numerous SharePoint and Office vulnerabilities beyond CVE-2026-55021, including remote-code-execution, elevation-of-privilege, information-disclosure, and security-feature-bypass issues.That broader coverage makes selective treatment of the spoofing flaw impractical. Administrators are deploying a cumulative SharePoint package rather than a narrow standalone correction, so the usual testing for farm customizations, web parts, authentication integrations, search, and workflows remains necessary.
Microsoft warns organizations using SharePoint Workflow Manager to install Workflow Manager update KB5002799 before applying the SharePoint cumulative update. Farms using the older Classic Workflow Manager also need Microsoft’s documented server debug flag to preserve workflow operation.
KB5002882 additionally fixes a regression that prevented SharePoint 2010 workflows from starting after installation of the June 2026 update. That fix may make July’s package particularly important for farms that delayed June’s update because of workflow failures.
The Subscription Edition update has a known post-installation step involving the
DisableActorTokenAudienceValidation farm property. Microsoft says administrators should apply its documented PowerShell setting after running PSConfig because a defense-in-depth actor-token validation feature under development can cause a regression. The company says existing actor-token validation checks remain active, but administrators should document the setting so it can be reviewed when Microsoft revises its guidance.These prerequisites reinforce why SharePoint servicing is more involved than a routine Windows cumulative update. Every server in the farm should receive the applicable binaries, and administrators must then run the SharePoint Products Configuration Wizard or
PSConfig as appropriate to upgrade the farm’s databases and components.Patch Verification Must Reach Beyond Windows Update
A successful package installation in Windows Update history is not enough to confirm that a SharePoint farm is fully protected. Administrators should verify the installed build across every SharePoint server, confirm that the configuration database reports no pending upgrade work, and check Central Administration for servers requiring action.Internet-facing farms deserve priority, but CVE-2026-55021 also presents a meaningful internal threat. An attacker who has obtained employee credentials through password reuse, token theft, phishing, or another compromised application could use an internal SharePoint site to target users with greater privileges.
Security teams should review recent SharePoint content changes and audit activity for unexpected pages, scripts, embedded frames, redirects, or modifications made by accounts that normally have limited publishing responsibilities. Web application firewall alerts and browser telemetry may help identify script injection attempts, though those controls are not substitutes for installing Microsoft’s update.
Organizations should also test pages created by custom solutions after patching. Cross-site scripting corrections often tighten input validation or output encoding, which can expose unsupported assumptions in legacy web parts and internally developed extensions. A broken customization should be repaired rather than used as justification for leaving the farm on a vulnerable build.
CVE-2026-55021 is not currently presented as an unauthenticated zero-day, but its network reach, low attack complexity, and potentially high confidentiality and integrity impact justify prompt deployment. For SharePoint administrators, the concrete finish line is a farm at build 16.0.5561.1001, 16.0.10417.20175, or 16.0.19725.20434 as applicable, with PSConfig completed and workflow prerequisites verified.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Related coverage: techradar.com
Microsoft 365 Copilot can be turned into a one-click data theft tool — inbox, OneDrive, and SharePoint data all at risk, so patch now | TechRadar
Varonis found a way to chain three bugs into one exploitwww.techradar.com - Related coverage: windowscentral.com
Microsoft issues emergency SharePoint patches for ToolShell | Windows Central
Microsoft has issued emergency patches for two zero-day vulnerabilities.www.windowscentral.com - Related coverage: tomsguide.com
Microsoft releases emergency security updates to fix SharePoint zero-day flaws — everything you need to know | Tom's Guide
Two zero-day flaws have been patched to fix actively exploited vulnerabilities in SharePoint.www.tomsguide.com - Related coverage: pcgamer.com
Microsoft warns of 'active attacks' on its government and business server tech, with one cybersecurity expert claiming that they should 'assume that you have been compromised' | PC Gamer
There are a bunch of security agencies on the case, though.www.pcgamer.com - Official source: support.microsoft.com
Description of the security update for SharePoint Server 2019: February 10, 2026 (KB5002834) | Microsoft Support
Description of the security update for SharePoint Server 2019: February 10, 2026 (KB5002834)support.microsoft.com