Microsoft has patched CVE-2026-55034, an Important-rated SharePoint Server spoofing vulnerability that can let an authenticated attacker inject untrusted content into pages viewed by another user. The flaw affects supported on-premises deployments of SharePoint Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition.
Published by the Microsoft Security Response Center on July 14, 2026, the vulnerability carries a CVSS 3.1 base score of 7.3. Microsoft describes the underlying weakness as improper neutralization of input during web-page generation—better known as cross-site scripting, or XSS.
Administrators should apply the July 2026 SharePoint security updates and complete the normal SharePoint configuration-upgrade process. Although Microsoft says exploitation is less likely and reports no known attacks or public disclosure, the vulnerability can affect both the confidentiality and integrity of data presented through a SharePoint site.
CVE-2026-55034 is network-accessible, has low attack complexity, and requires low privileges. An attacker therefore needs authorization within the targeted SharePoint environment, but does not need administrative control of the farm or direct access to its servers.
Successful exploitation also requires user interaction. Microsoft’s CVSS vector indicates that another user must view or interact with attacker-controlled content before the spoofing behavior takes effect. That requirement limits opportunistic internet-wide exploitation, but it does not eliminate the threat inside organizations where employees, contractors, partners, and service accounts routinely receive SharePoint access.
The vulnerability’s CVSS vector is:
Microsoft assigns high potential impact to confidentiality and integrity, with no direct availability impact. In practical terms, the flaw is not expected to crash a SharePoint farm or make a site unavailable. Its value to an attacker lies instead in manipulating what users see or causing a trusted SharePoint page to handle hostile content.
The classic danger of stored or reflected XSS in an enterprise portal is the trust attached to the domain. A user may be more willing to interact with a page hosted on an internal SharePoint site than with an unfamiliar external address. Depending on the vulnerable context, injected content could be used to display false prompts, redirect users, imitate SharePoint controls, or attempt actions in the victim’s browser session.
Microsoft’s public description does not identify the exact SharePoint component, page, or input field involved. It says only that inadequate neutralization during page generation allows an authorized attacker to perform spoofing over a network. Administrators should avoid assuming that a specific site feature, custom web part, or legacy page is solely responsible until Microsoft publishes more technical detail.
The Subscription Edition update is cumulative and replaces KB5002873. Microsoft distributes it through Microsoft Update, the Microsoft Update Catalog, and the Download Center. SharePoint administrators using controlled deployment systems should verify that their selected package corresponds to the product installed on every farm server rather than relying solely on a generic compliance result.
Installing SharePoint binaries is only part of the update. Farms must be brought to a consistent patch level, and administrators should run the SharePoint Products Configuration Wizard or
Teams should also confirm the resulting farm build rather than checking only whether Windows Update reports success. Multi-server farms are particularly vulnerable to partial deployments when one application or web-front-end server misses the maintenance window, encounters a failed installer, or is returned to service before configuration completes.
SharePoint Online is not listed among the affected products. CVE-2026-55034 concerns Microsoft’s on-premises SharePoint Server releases, where customers remain responsible for deploying cumulative and security updates.
Environments still using the Classic version of Workflow Manager also require a SharePoint farm debug flag to continue operating. Microsoft instructs administrators to add flag
KB5002882 additionally fixes a regression in which SharePoint 2010 workflows failed to start after installation of the June 2026 update. That repair may make the July package especially relevant to organizations that delayed June deployment or rolled it back because of workflow failures.
Microsoft documents another post-
These servicing conditions make a blind emergency push undesirable even though the security update should not be postponed indefinitely. SharePoint farms often host deeply integrated applications, custom solutions, search components, and legacy workflows. A short validation cycle should therefore cover authentication, page rendering, document operations, search, workflows, and any custom web parts that process user-generated content.
Microsoft’s July assessment lists the issue as not publicly disclosed and not exploited, with exploitation considered less likely. The availability of an official fix also reduces the temporal score from the 7.3 base rating to 6.4.
That distinction matters because the terms can otherwise produce an exaggerated reading of the advisory. CVE-2026-55034 is a real, vendor-confirmed vulnerability with meaningful security impact, but the available evidence does not place it in the same category as a known zero-day or a vulnerability listed in an active-exploitation catalog.
The authenticated starting point should not lead administrators to dismiss it, either. SharePoint permissions are frequently distributed beyond core IT staff, and low-privilege accounts can be obtained through password reuse, phishing, stolen browser sessions, or compromised partner identities. An XSS flaw can then provide a bridge from a relatively weak account to interactions involving a more privileged user.
Organizations unable to patch immediately should review accounts with site contribution rights, investigate unusual page or list modifications, and restrict unnecessary external access. Those measures reduce exposure but are not substitutes for installing the corrected SharePoint builds.
The practical milestone is straightforward: every supported on-premises SharePoint server should reach its July 2026 patched build, complete
Published by the Microsoft Security Response Center on July 14, 2026, the vulnerability carries a CVSS 3.1 base score of 7.3. Microsoft describes the underlying weakness as improper neutralization of input during web-page generation—better known as cross-site scripting, or XSS.
Administrators should apply the July 2026 SharePoint security updates and complete the normal SharePoint configuration-upgrade process. Although Microsoft says exploitation is less likely and reports no known attacks or public disclosure, the vulnerability can affect both the confidentiality and integrity of data presented through a SharePoint site.
The Attack Starts With a SharePoint Account
CVE-2026-55034 is network-accessible, has low attack complexity, and requires low privileges. An attacker therefore needs authorization within the targeted SharePoint environment, but does not need administrative control of the farm or direct access to its servers.Successful exploitation also requires user interaction. Microsoft’s CVSS vector indicates that another user must view or interact with attacker-controlled content before the spoofing behavior takes effect. That requirement limits opportunistic internet-wide exploitation, but it does not eliminate the threat inside organizations where employees, contractors, partners, and service accounts routinely receive SharePoint access.
The vulnerability’s CVSS vector is:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:NMicrosoft assigns high potential impact to confidentiality and integrity, with no direct availability impact. In practical terms, the flaw is not expected to crash a SharePoint farm or make a site unavailable. Its value to an attacker lies instead in manipulating what users see or causing a trusted SharePoint page to handle hostile content.
The classic danger of stored or reflected XSS in an enterprise portal is the trust attached to the domain. A user may be more willing to interact with a page hosted on an internal SharePoint site than with an unfamiliar external address. Depending on the vulnerable context, injected content could be used to display false prompts, redirect users, imitate SharePoint controls, or attempt actions in the victim’s browser session.
Microsoft’s public description does not identify the exact SharePoint component, page, or input field involved. It says only that inadequate neutralization during page generation allows an authorized attacker to perform spoofing over a network. Administrators should avoid assuming that a specific site feature, custom web part, or legacy page is solely responsible until Microsoft publishes more technical detail.
July Builds Draw the Remediation Line
Available vulnerability records identify three affected on-premises SharePoint product branches. The corrected build thresholds are:- SharePoint Enterprise Server 2016 is updated to build 16.0.5561.1001.
- SharePoint Server 2019 is updated to build 16.0.10417.20175.
- SharePoint Server Subscription Edition is updated to build 16.0.19725.20434.
The Subscription Edition update is cumulative and replaces KB5002873. Microsoft distributes it through Microsoft Update, the Microsoft Update Catalog, and the Download Center. SharePoint administrators using controlled deployment systems should verify that their selected package corresponds to the product installed on every farm server rather than relying solely on a generic compliance result.
Installing SharePoint binaries is only part of the update. Farms must be brought to a consistent patch level, and administrators should run the SharePoint Products Configuration Wizard or
PSConfig as required by their established servicing procedure. A server that has received the package but has not completed the configuration phase should not automatically be treated as fully remediated.Teams should also confirm the resulting farm build rather than checking only whether Windows Update reports success. Multi-server farms are particularly vulnerable to partial deployments when one application or web-front-end server misses the maintenance window, encounters a failed installer, or is returned to service before configuration completes.
SharePoint Online is not listed among the affected products. CVE-2026-55034 concerns Microsoft’s on-premises SharePoint Server releases, where customers remain responsible for deploying cumulative and security updates.
Workflow Manager Adds a Deployment Dependency
The July Subscription Edition package comes with an important prerequisite for organizations running SharePoint Workflow Manager. Microsoft says KB5002799 must be installed in the farm before KB5002882 is applied.Environments still using the Classic version of Workflow Manager also require a SharePoint farm debug flag to continue operating. Microsoft instructs administrators to add flag
53601, update the farm, and reset IIS. That requirement should be tested with existing approval, document-processing, and line-of-business workflows before broad production rollout.KB5002882 additionally fixes a regression in which SharePoint 2010 workflows failed to start after installation of the June 2026 update. That repair may make the July package especially relevant to organizations that delayed June deployment or rolled it back because of workflow failures.
Microsoft documents another post-
PSConfig action for Subscription Edition. Administrators are told to set DisableActorTokenAudienceValidation to $true, temporarily disabling a defense-in-depth validation that remains under development and may cause a regression. Microsoft says existing actor-token validation checks remain active, but the unusual post-installation step deserves change-control documentation and subsequent review when a later cumulative update becomes available.These servicing conditions make a blind emergency push undesirable even though the security update should not be postponed indefinitely. SharePoint farms often host deeply integrated applications, custom solutions, search components, and legacy workflows. A short validation cycle should therefore cover authentication, page rendering, document operations, search, workflows, and any custom web parts that process user-generated content.
“Confirmed” Does Not Mean Exploited
The report-confidence text highlighted in Microsoft’s advisory refers to the CVSS temporal metric, not evidence of active attacks. A status of Confirmed means the vendor acknowledges the vulnerability and considers the available technical information credible. It does not mean Microsoft has observed CVE-2026-55034 being exploited in customer environments.Microsoft’s July assessment lists the issue as not publicly disclosed and not exploited, with exploitation considered less likely. The availability of an official fix also reduces the temporal score from the 7.3 base rating to 6.4.
That distinction matters because the terms can otherwise produce an exaggerated reading of the advisory. CVE-2026-55034 is a real, vendor-confirmed vulnerability with meaningful security impact, but the available evidence does not place it in the same category as a known zero-day or a vulnerability listed in an active-exploitation catalog.
The authenticated starting point should not lead administrators to dismiss it, either. SharePoint permissions are frequently distributed beyond core IT staff, and low-privilege accounts can be obtained through password reuse, phishing, stolen browser sessions, or compromised partner identities. An XSS flaw can then provide a bridge from a relatively weak account to interactions involving a more privileged user.
Organizations unable to patch immediately should review accounts with site contribution rights, investigate unusual page or list modifications, and restrict unnecessary external access. Those measures reduce exposure but are not substitutes for installing the corrected SharePoint builds.
The practical milestone is straightforward: every supported on-premises SharePoint server should reach its July 2026 patched build, complete
PSConfig, and pass a farm-wide health check. Administrators running Workflow Manager must account for Microsoft’s prerequisite and post-installation instructions, making verified farm completion—not package installation alone—the real measure of remediation.References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Related coverage: caloes.ca.gov
</rdf:Alt> </dc:title> <dc:description> <rdf:Alt> <rdf:li xml:lang="x-default"/> </rdf:Alt> </dc:description> <dc:creator> <rdf:Seq> <rdf:li>(Contra
</rdf:Alt> </dc:description> <dc:creator> <rdf:Seq> <rdf:li>(Contractor) Melanie, Barlow@CalOESwww.caloes.ca.gov
- Related coverage: techradar.com
Microsoft 365 Copilot can be turned into a one-click data theft tool — inbox, OneDrive, and SharePoint data all at risk, so patch now | TechRadar
Varonis found a way to chain three bugs into one exploitwww.techradar.com - Related coverage: windowscentral.com
Microsoft issues emergency SharePoint patches for ToolShell | Windows Central
Microsoft has issued emergency patches for two zero-day vulnerabilities.www.windowscentral.com - Related coverage: pcgamer.com
Microsoft warns of 'active attacks' on its government and business server tech, with one cybersecurity expert claiming that they should 'assume that you have been compromised' | PC Gamer
There are a bunch of security agencies on the case, though.www.pcgamer.com - Related coverage: tomshardware.com
Microsoft says China-based hackers exploiting critical SharePoint vulnerabilities to deploy Warlock ransomware — three China-affiliated threat actors seen taking advantage | Tom's Hardware
The company has attributed these attacks to a group it calls Storm-2603.www.tomshardware.com