Microsoft has fixed CVE-2026-56157, an authenticated network spoofing vulnerability affecting SharePoint Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. Administrators should install the July 14, 2026 SharePoint security updates and verify that every farm server reaches the patched build level.
Detailed in Microsoft’s Security Update Guide and corroborated by the National Vulnerability Database, the flaw stems from improper access control in Microsoft Office SharePoint. An authorized attacker can exploit it remotely without user interaction, potentially presenting spoofed content while compromising limited confidentiality and integrity.
CVE-2026-56157 carries a CVSS 3.1 base score of 5.4, rated Medium. That score makes it less severe than the remote-code-execution and elevation-of-privilege vulnerabilities also addressed in July’s SharePoint packages, but it should not be treated as optional maintenance on a collaboration platform that routinely holds trusted documents, internal links, workflows, and identity-connected content.
Microsoft’s CVSS vector is
That prerequisite is the main reason the vulnerability sits in the Medium band. CVE-2026-56157 is not described as an anonymous, internet-facing takeover route, nor does Microsoft say successful exploitation gives an attacker code execution or administrative control over the SharePoint farm.
The absence of a user-interaction requirement still matters. Once an attacker has obtained or legitimately holds a suitable account, exploitation does not depend on persuading another user to open a document, follow a link, or approve a prompt. That makes compromised employee accounts, stale contractor identities, over-permissioned external users, and malicious insiders relevant parts of the threat model.
Microsoft describes the result as spoofing, with low confidentiality and integrity impact and no direct availability impact. The advisory does not publicly document the exact interface, request format, or SharePoint object involved, limiting defenders’ ability to build a precise network signature or independently reproduce the issue.
No public exploitation was identified when the CVE was published on July 14. CISA’s initial assessment recorded exploitation as “none,” judged the issue not readily automatable, and classified the technical impact as partial. Those are useful prioritization signals, but they are not evidence that unpatched servers will remain safe after the advisory gives researchers and attackers a starting point.
The build thresholds are more useful than simply checking whether Windows Update reports success. SharePoint farms can contain multiple application and web-front-end servers, and a package installed on one machine does not prove the entire farm has been brought to a consistent patch level.
Administrators should inventory all SharePoint servers, install the appropriate update on each one, run the SharePoint Products Configuration Wizard or
The July packages are cumulative and address far more than CVE-2026-56157. Microsoft’s SharePoint Server Subscription Edition update, for example, includes fixes for multiple SharePoint information-disclosure, remote-code-execution, security-feature-bypass, elevation-of-privilege, and spoofing vulnerabilities, along with Microsoft Word issues reachable through SharePoint components. Delaying the package therefore leaves a farm exposed to a broader July security set, not merely this Medium-severity flaw.
Farms still using the Classic version of Workflow Manager require an additional compatibility step. Microsoft instructs administrators to enable SharePoint farm debug flag
SharePoint Server Subscription Edition has another post-update consideration. Microsoft says administrators should run specified PowerShell commands after
The Subscription Edition package also fixes a nonsecurity regression that prevented SharePoint 2010 workflows from starting after the June 2026 update. Organizations that delayed June’s package because of that problem now have a reason to move directly to July’s cumulative build, subject to testing their workflow stack and custom solutions.
These servicing details make staged deployment sensible, but they do not justify leaving production farms indefinitely unpatched. A representative test farm should include authentication integrations, custom web parts, farm solutions, search, Office document handling, Workflow Manager, and any reverse proxy or web application firewall positioned in front of SharePoint.
In this case, confidence in the vulnerability’s existence is high because Microsoft, the product vendor and CVE Numbering Authority, acknowledged the issue, assigned affected build ranges, and released fixes. Public technical depth remains limited because the advisory does not disclose the vulnerable endpoint, the spoofed object, a proof of concept, or detailed attack mechanics.
That combination is common on Patch Tuesday: defenders have authoritative confirmation and a remediation path, while enough implementation detail is withheld to avoid immediately handing attackers a recipe. It also means security teams should be cautious about creating narrow detection logic based on assumptions about how the spoofing works.
Until Microsoft or a researcher publishes further analysis, practical monitoring should focus on broader indicators. Review suspicious activity by low-privilege accounts, unexpected changes to SharePoint content or metadata, anomalous requests to publishing and collaboration features, unusual external-user behavior, and authentication events involving dormant or newly compromised identities.
Restricting SharePoint access at the perimeter can reduce exposure, but it does not eliminate the risk from authenticated users or compromised credentials. Farms published directly to the internet deserve priority, followed by deployments offering partner or guest access and environments where SharePoint contains security-sensitive documents or trusted links used in administrative workflows.
CVE-2026-56157 is not the headline-grabbing SharePoint server takeover scenario suggested by a critical unauthenticated flaw. It is a confirmed access-control weakness that lets an already authorized network attacker cross a trust boundary and spoof content without involving another user. For administrators, the concrete finish line is a fully updated farm running at least build 16.0.5561.1001, 16.0.10417.20175, or 16.0.19725.20434, with
Detailed in Microsoft’s Security Update Guide and corroborated by the National Vulnerability Database, the flaw stems from improper access control in Microsoft Office SharePoint. An authorized attacker can exploit it remotely without user interaction, potentially presenting spoofed content while compromising limited confidentiality and integrity.
CVE-2026-56157 carries a CVSS 3.1 base score of 5.4, rated Medium. That score makes it less severe than the remote-code-execution and elevation-of-privilege vulnerabilities also addressed in July’s SharePoint packages, but it should not be treated as optional maintenance on a collaboration platform that routinely holds trusted documents, internal links, workflows, and identity-connected content.
Authenticated Access Keeps the Score Down
Microsoft’s CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N. In practical terms, an attacker can reach the vulnerable component over a network, exploitation requires low complexity, and no victim interaction is required. The attacker does, however, need an existing low-privilege SharePoint account.That prerequisite is the main reason the vulnerability sits in the Medium band. CVE-2026-56157 is not described as an anonymous, internet-facing takeover route, nor does Microsoft say successful exploitation gives an attacker code execution or administrative control over the SharePoint farm.
The absence of a user-interaction requirement still matters. Once an attacker has obtained or legitimately holds a suitable account, exploitation does not depend on persuading another user to open a document, follow a link, or approve a prompt. That makes compromised employee accounts, stale contractor identities, over-permissioned external users, and malicious insiders relevant parts of the threat model.
Microsoft describes the result as spoofing, with low confidentiality and integrity impact and no direct availability impact. The advisory does not publicly document the exact interface, request format, or SharePoint object involved, limiting defenders’ ability to build a precise network signature or independently reproduce the issue.
No public exploitation was identified when the CVE was published on July 14. CISA’s initial assessment recorded exploitation as “none,” judged the issue not readily automatable, and classified the technical impact as partial. Those are useful prioritization signals, but they are not evidence that unpatched servers will remain safe after the advisory gives researchers and attackers a starting point.
Three SharePoint Generations Need New Builds
The CVE record identifies three affected on-premises SharePoint branches. Farms running versions below the following builds remain exposed:- SharePoint Enterprise Server 2016 must be updated to build 16.0.5561.1001 or later.
- SharePoint Server 2019 must be updated to build 16.0.10417.20175 or later.
- SharePoint Server Subscription Edition must be updated to build 16.0.19725.20434 or later.
The build thresholds are more useful than simply checking whether Windows Update reports success. SharePoint farms can contain multiple application and web-front-end servers, and a package installed on one machine does not prove the entire farm has been brought to a consistent patch level.
Administrators should inventory all SharePoint servers, install the appropriate update on each one, run the SharePoint Products Configuration Wizard or
PSConfig according to the organization’s established deployment process, and confirm that the configuration database upgrade completes. SharePoint Central Administration and PowerShell-based build checks should then show a consistent patched state across the farm.The July packages are cumulative and address far more than CVE-2026-56157. Microsoft’s SharePoint Server Subscription Edition update, for example, includes fixes for multiple SharePoint information-disclosure, remote-code-execution, security-feature-bypass, elevation-of-privilege, and spoofing vulnerabilities, along with Microsoft Word issues reachable through SharePoint components. Delaying the package therefore leaves a farm exposed to a broader July security set, not merely this Medium-severity flaw.
Workflow Dependencies Complicate the Maintenance Window
The security update has prerequisites that can affect farms using SharePoint workflows. Microsoft warns organizations running SharePoint Workflow Manager to install Workflow Manager update KB5002799 before applying the July SharePoint cumulative update.Farms still using the Classic version of Workflow Manager require an additional compatibility step. Microsoft instructs administrators to enable SharePoint farm debug flag
53601 and reset IIS so Classic Workflow Manager can continue operating. That requirement should be incorporated into change plans rather than discovered after business workflows stop processing.SharePoint Server Subscription Edition has another post-update consideration. Microsoft says administrators should run specified PowerShell commands after
PSConfig to disable an in-development defense-in-depth actor-token audience validation feature that can cause a regression. Existing actor-token validation remains enabled, according to the KB5002882 documentation, but the temporary setting deserves explicit tracking so it is not mistaken for an undocumented local workaround months later.The Subscription Edition package also fixes a nonsecurity regression that prevented SharePoint 2010 workflows from starting after the June 2026 update. Organizations that delayed June’s package because of that problem now have a reason to move directly to July’s cumulative build, subject to testing their workflow stack and custom solutions.
These servicing details make staged deployment sensible, but they do not justify leaving production farms indefinitely unpatched. A representative test farm should include authentication integrations, custom web parts, farm solutions, search, Office document handling, Workflow Manager, and any reverse proxy or web application firewall positioned in front of SharePoint.
Confidence Text Is Not an Exploitability Rating
The advisory’s generic discussion of vulnerability confidence describes how certain the ecosystem is that a flaw exists and how much credible technical detail is available. It should not be read as a separate severity score or as proof that exploitation has occurred.In this case, confidence in the vulnerability’s existence is high because Microsoft, the product vendor and CVE Numbering Authority, acknowledged the issue, assigned affected build ranges, and released fixes. Public technical depth remains limited because the advisory does not disclose the vulnerable endpoint, the spoofed object, a proof of concept, or detailed attack mechanics.
That combination is common on Patch Tuesday: defenders have authoritative confirmation and a remediation path, while enough implementation detail is withheld to avoid immediately handing attackers a recipe. It also means security teams should be cautious about creating narrow detection logic based on assumptions about how the spoofing works.
Until Microsoft or a researcher publishes further analysis, practical monitoring should focus on broader indicators. Review suspicious activity by low-privilege accounts, unexpected changes to SharePoint content or metadata, anomalous requests to publishing and collaboration features, unusual external-user behavior, and authentication events involving dormant or newly compromised identities.
Restricting SharePoint access at the perimeter can reduce exposure, but it does not eliminate the risk from authenticated users or compromised credentials. Farms published directly to the internet deserve priority, followed by deployments offering partner or guest access and environments where SharePoint contains security-sensitive documents or trusted links used in administrative workflows.
CVE-2026-56157 is not the headline-grabbing SharePoint server takeover scenario suggested by a critical unauthenticated flaw. It is a confirmed access-control weakness that lets an already authorized network attacker cross a trust boundary and spoof content without involving another user. For administrators, the concrete finish line is a fully updated farm running at least build 16.0.5561.1001, 16.0.10417.20175, or 16.0.19725.20434, with
PSConfig, workflow prerequisites, and post-update validation completed on every server.References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Official source: support.microsoft.com
Description of the security update for SharePoint Server 2019: February 10, 2026 (KB5002834) | Microsoft Support
Description of the security update for SharePoint Server 2019: February 10, 2026 (KB5002834)support.microsoft.com