CVE-2026-55040: Patch Critical SharePoint Server Auth Bypass

Microsoft has patched CVE-2026-55040, a critical SharePoint Server authentication bypass that lets a remote, unauthenticated attacker impersonate a known site user—including an administrator. The flaw carries a CVSS 3.1 score of 9.1 and affects on-premises SharePoint Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition.
Detailed in Microsoft’s July 14, 2026 security advisory and discovered by Rapid7 Labs researcher Stephen Fewer, the vulnerability stems from weak authentication involving JSON Web Tokens. Rapid7 says it can be chained with a second, currently unpatched flaw to obtain unauthenticated remote code execution on a vulnerable SharePoint server.
Administrators should deploy the July 2026 SharePoint updates immediately, complete the SharePoint configuration process on every farm server, and verify the resulting build numbers. Microsoft and CISA had reported no known active exploitation as of July 15, but disclosure of the attack chain sharply reduces the comfort provided by that status.

A cybersecurity operations dashboard shows a vulnerable server, remote attacker, alerts, identity risks, and patch deployment.A Known Identity Is Enough to Cross the Boundary​

CVE-2026-55040 does not require credentials, prior access, or user interaction. According to Rapid7, an attacker needs to identify the SharePoint user they want to impersonate, using information such as an Active Directory Security Identifier or User Principal Name.
A UPN commonly resembles an email address, while SIDs may be discovered through enumeration or obtained from other exposed systems and data. Rapid7’s proof of concept reportedly enumerated prospective users and then assumed the identity of a SharePoint site administrator.
Successful exploitation gives the attacker the permissions of the impersonated account. That can expose documents and list data, permit unauthorized modifications, and provide access to administrative functions when the selected identity has elevated rights. Microsoft’s CVSS vector indicates high confidentiality and integrity impact, although the vulnerability by itself is not scored as directly affecting availability.
The vulnerable and corrected build boundaries are:
  • SharePoint Enterprise Server 2016 installations earlier than 16.0.5561.1001 are affected.
  • SharePoint Server 2019 installations earlier than 16.0.10417.20175 are affected.
  • SharePoint Server Subscription Edition installations earlier than 16.0.19725.20434 are affected.
Microsoft’s affected-product list is confined to on-premises SharePoint Server. SharePoint Online is not listed as vulnerable.

Rapid7’s Second Bug Keeps August on the Calendar​

CVE-2026-55040 is only the first half of the exploit chain found during a Rapid7 zero-day research project. Rapid7 says the authentication bypass can be combined with a separate SharePoint remote-code-execution vulnerability to compromise a server without authentication.
The research originated as an entry for the Pwn2Own Berlin competition. Rapid7 reported the complete chain to Microsoft on May 18, and Microsoft confirmed the findings on May 20. The companies agreed to split remediation across two scheduled servicing cycles: the authentication bypass in July and the remote-code-execution component in August 2026.
That sequencing matters. The July update closes the unauthenticated route demonstrated by CVE-2026-55040, but Rapid7 says the second underlying vulnerability remains scheduled for Microsoft’s August update cycle. Administrators therefore should not treat July’s patch as the final maintenance event associated with this research.
Rapid7 has withheld full technical details under a 30-day disclosure agreement requested by Microsoft. The company said it could publish earlier if exploitation is detected in the wild or another party releases the details. Even without a public exploit, defenders should assume that identity details such as UPNs are comparatively easy to obtain and prioritize any internet-facing SharePoint farm.
The risk is also not limited to direct code execution. Impersonating a privileged user can be enough to steal sensitive files, alter configuration, create persistence through authorized SharePoint mechanisms, or prepare a later attack against connected infrastructure.

July’s SharePoint Packages Need More Than an Installer​

Microsoft delivered the fix through the July 14 SharePoint security updates. SharePoint Server Subscription Edition receives KB5002882 and build 16.0.19725.20434. SharePoint Server 2019 receives KB5002883, with KB5002885 covering the associated language pack. SharePoint Server 2016 receives KB5002891 and KB5002892.
SharePoint patching is a farm operation rather than a conventional Windows update-and-reboot exercise. After installing the applicable packages, administrators must run the SharePoint Products Configuration Wizard, or the supported PSConfig.exe equivalent, on each machine in the farm. A server showing an installed Windows package but an unfinished SharePoint upgrade should not be considered fully remediated.
KB5002882 also carries several deployment caveats for Subscription Edition. Farms using SharePoint Workflow Manager must install KB5002799 before applying the cumulative update. Microsoft provides a separate debug-flag workaround for environments still running the classic version of Workflow Manager.
There is also a notable known issue. After running PSConfig, Microsoft instructs Subscription Edition administrators to execute PowerShell that sets DisableActorTokenAudienceValidation to true. Microsoft describes this as disabling a defense-in-depth validation feature still under development because it can cause a regression; existing actor-token validation checks remain in place.
That instruction deserves explicit inclusion in change plans rather than an improvised response after users report failures. Security teams may reasonably hesitate when a post-installation step disables a validation feature, but the setting is Microsoft’s documented workaround for this update—not a substitute for installing it.
Before reopening a patched farm to normal traffic, administrators should confirm that all servers report the intended patch state, test authentication and workflows, and review logs for unexplained access under privileged identities. Farms exposed through load balancers or reverse proxies should be kept out of rotation individually until both package installation and configuration have completed.

SharePoint 2016 and 2019 Reach the End of the Road​

The timing is particularly uncomfortable for organizations still running SharePoint Server 2016 or SharePoint Server 2019. Both products reached the end of extended support on July 14, 2026, the same date Microsoft published the CVE-2026-55040 fixes.
That makes the July packages a final security baseline rather than evidence that those releases remain viable. Installing KB5002891 or KB5002883 addresses this vulnerability, but it does not extend the products’ support lifecycle or guarantee fixes for flaws discovered after July 14.
Organizations retaining either release now face an unsupported-server problem layered on top of an authentication-boundary failure. The practical destination is SharePoint Server Subscription Edition or an appropriate Microsoft 365 migration, depending on data residency, customization, integration, and operational requirements.
For farms that cannot move immediately, administrators should reduce exposure while the migration proceeds. Direct internet access should be eliminated where possible, unnecessary accounts and permissions should be removed, and privileged SharePoint identities should receive particular monitoring. Network controls cannot repair weak token validation, but they can reduce the number of systems capable of reaching an aging server.
The next milestone is Microsoft’s August 2026 security release, when Rapid7 expects the second remote-code-execution component to be fixed. Until then, the defensible position is to install July’s updates, verify the completed farm upgrade, watch for Rapid7’s technical disclosure, and avoid leaving unsupported SharePoint 2016 or 2019 servers exposed to untrusted networks.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Official source: support.microsoft.com
  3. Related coverage: caloes.ca.gov
  4. Related coverage: cirt.gy
  5. Related coverage: techradar.com
  6. Related coverage: windowscentral.com
 

Back
Top