CVE-2026-55034: Patch SharePoint XSS With July 2026 Updates

Microsoft has patched CVE-2026-55034, an Important-rated SharePoint Server spoofing vulnerability that can let an authenticated attacker inject untrusted content into pages viewed by another user. The flaw affects supported on-premises deployments of SharePoint Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition.
Published by the Microsoft Security Response Center on July 14, 2026, the vulnerability carries a CVSS 3.1 base score of 7.3. Microsoft describes the underlying weakness as improper neutralization of input during web-page generation—better known as cross-site scripting, or XSS.
Administrators should apply the July 2026 SharePoint security updates and complete the normal SharePoint configuration-upgrade process. Although Microsoft says exploitation is less likely and reports no known attacks or public disclosure, the vulnerability can affect both the confidentiality and integrity of data presented through a SharePoint site.

Cybersecurity dashboard showing SharePoint servers protected from an XSS spoofing vulnerability.The Attack Starts With a SharePoint Account​

CVE-2026-55034 is network-accessible, has low attack complexity, and requires low privileges. An attacker therefore needs authorization within the targeted SharePoint environment, but does not need administrative control of the farm or direct access to its servers.
Successful exploitation also requires user interaction. Microsoft’s CVSS vector indicates that another user must view or interact with attacker-controlled content before the spoofing behavior takes effect. That requirement limits opportunistic internet-wide exploitation, but it does not eliminate the threat inside organizations where employees, contractors, partners, and service accounts routinely receive SharePoint access.
The vulnerability’s CVSS vector is:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Microsoft assigns high potential impact to confidentiality and integrity, with no direct availability impact. In practical terms, the flaw is not expected to crash a SharePoint farm or make a site unavailable. Its value to an attacker lies instead in manipulating what users see or causing a trusted SharePoint page to handle hostile content.
The classic danger of stored or reflected XSS in an enterprise portal is the trust attached to the domain. A user may be more willing to interact with a page hosted on an internal SharePoint site than with an unfamiliar external address. Depending on the vulnerable context, injected content could be used to display false prompts, redirect users, imitate SharePoint controls, or attempt actions in the victim’s browser session.
Microsoft’s public description does not identify the exact SharePoint component, page, or input field involved. It says only that inadequate neutralization during page generation allows an authorized attacker to perform spoofing over a network. Administrators should avoid assuming that a specific site feature, custom web part, or legacy page is solely responsible until Microsoft publishes more technical detail.

July Builds Draw the Remediation Line​

Available vulnerability records identify three affected on-premises SharePoint product branches. The corrected build thresholds are:
  • SharePoint Enterprise Server 2016 is updated to build 16.0.5561.1001.
  • SharePoint Server 2019 is updated to build 16.0.10417.20175.
  • SharePoint Server Subscription Edition is updated to build 16.0.19725.20434.
Microsoft’s support documentation identifies KB5002882 as the July 14 security update for SharePoint Server Subscription Edition. That package includes build 16.0.19725.20434 and addresses CVE-2026-55034 alongside numerous other SharePoint and Microsoft Word vulnerabilities.
The Subscription Edition update is cumulative and replaces KB5002873. Microsoft distributes it through Microsoft Update, the Microsoft Update Catalog, and the Download Center. SharePoint administrators using controlled deployment systems should verify that their selected package corresponds to the product installed on every farm server rather than relying solely on a generic compliance result.
Installing SharePoint binaries is only part of the update. Farms must be brought to a consistent patch level, and administrators should run the SharePoint Products Configuration Wizard or PSConfig as required by their established servicing procedure. A server that has received the package but has not completed the configuration phase should not automatically be treated as fully remediated.
Teams should also confirm the resulting farm build rather than checking only whether Windows Update reports success. Multi-server farms are particularly vulnerable to partial deployments when one application or web-front-end server misses the maintenance window, encounters a failed installer, or is returned to service before configuration completes.
SharePoint Online is not listed among the affected products. CVE-2026-55034 concerns Microsoft’s on-premises SharePoint Server releases, where customers remain responsible for deploying cumulative and security updates.

Workflow Manager Adds a Deployment Dependency​

The July Subscription Edition package comes with an important prerequisite for organizations running SharePoint Workflow Manager. Microsoft says KB5002799 must be installed in the farm before KB5002882 is applied.
Environments still using the Classic version of Workflow Manager also require a SharePoint farm debug flag to continue operating. Microsoft instructs administrators to add flag 53601, update the farm, and reset IIS. That requirement should be tested with existing approval, document-processing, and line-of-business workflows before broad production rollout.
KB5002882 additionally fixes a regression in which SharePoint 2010 workflows failed to start after installation of the June 2026 update. That repair may make the July package especially relevant to organizations that delayed June deployment or rolled it back because of workflow failures.
Microsoft documents another post-PSConfig action for Subscription Edition. Administrators are told to set DisableActorTokenAudienceValidation to $true, temporarily disabling a defense-in-depth validation that remains under development and may cause a regression. Microsoft says existing actor-token validation checks remain active, but the unusual post-installation step deserves change-control documentation and subsequent review when a later cumulative update becomes available.
These servicing conditions make a blind emergency push undesirable even though the security update should not be postponed indefinitely. SharePoint farms often host deeply integrated applications, custom solutions, search components, and legacy workflows. A short validation cycle should therefore cover authentication, page rendering, document operations, search, workflows, and any custom web parts that process user-generated content.

“Confirmed” Does Not Mean Exploited​

The report-confidence text highlighted in Microsoft’s advisory refers to the CVSS temporal metric, not evidence of active attacks. A status of Confirmed means the vendor acknowledges the vulnerability and considers the available technical information credible. It does not mean Microsoft has observed CVE-2026-55034 being exploited in customer environments.
Microsoft’s July assessment lists the issue as not publicly disclosed and not exploited, with exploitation considered less likely. The availability of an official fix also reduces the temporal score from the 7.3 base rating to 6.4.
That distinction matters because the terms can otherwise produce an exaggerated reading of the advisory. CVE-2026-55034 is a real, vendor-confirmed vulnerability with meaningful security impact, but the available evidence does not place it in the same category as a known zero-day or a vulnerability listed in an active-exploitation catalog.
The authenticated starting point should not lead administrators to dismiss it, either. SharePoint permissions are frequently distributed beyond core IT staff, and low-privilege accounts can be obtained through password reuse, phishing, stolen browser sessions, or compromised partner identities. An XSS flaw can then provide a bridge from a relatively weak account to interactions involving a more privileged user.
Organizations unable to patch immediately should review accounts with site contribution rights, investigate unusual page or list modifications, and restrict unnecessary external access. Those measures reduce exposure but are not substitutes for installing the corrected SharePoint builds.
The practical milestone is straightforward: every supported on-premises SharePoint server should reach its July 2026 patched build, complete PSConfig, and pass a farm-wide health check. Administrators running Workflow Manager must account for Microsoft’s prerequisite and post-installation instructions, making verified farm completion—not package installation alone—the real measure of remediation.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Related coverage: caloes.ca.gov
  3. Related coverage: techradar.com
  4. Related coverage: windowscentral.com
  5. Related coverage: pcgamer.com
  6. Related coverage: tomshardware.com
 

Back
Top