CVE-2026-58277: Patch SharePoint 2016/2019 Before Support Ends

Microsoft has patched CVE-2026-58277, a high-severity SharePoint elevation-of-privilege vulnerability affecting on-premises SharePoint Server 2016 and SharePoint Server 2019. Administrators should install the July 14, 2026 security updates immediately: KB5002891 for SharePoint Server 2016 and KB5002883 for SharePoint Server 2019, then complete the required farm configuration steps and verify the resulting build level.
Microsoft’s Security Response Center describes the flaw as improper authorization that lets an authorized attacker elevate privileges over a network. NIST’s National Vulnerability Database records Microsoft’s CVSS 3.1 score as 8.8 out of 10, with low attack complexity, no user interaction requirement, and potential impact to confidentiality, integrity, and availability.
This is not a SharePoint Online issue. The affected products listed by Microsoft and NIST are SharePoint Enterprise Server 2016 and SharePoint Server 2019 on x64 systems. That distinction matters for organizations that run hybrid environments: a Microsoft 365 tenant may be unaffected while an older on-premises farm still needs an urgent maintenance window.

IT professional monitors SharePoint security, patching, audit logs, and migration from on-premises servers to the cloud.A Low-Privilege Starting Point Can Become Full Farm Risk​

The vulnerability’s attack vector requires an attacker to already hold valid SharePoint authorization. That means CVE-2026-58277 is not an unauthenticated internet-facing remote-code-execution bug, but it should not be treated as routine either.
SharePoint farms routinely include large populations of authenticated users: employees, contractors, service accounts, partner identities, synchronization accounts, and accounts compromised through phishing. A flaw that turns low-level access into more powerful permissions changes the consequences of any one of those footholds.
Microsoft’s published vector is AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. In practical terms, the attacker can operate over the network, needs low privileges rather than administrative access, faces low technical complexity, and does not need a victim to click a link or open a file. Successful exploitation could affect all three parts of the CIA triad: read protected content, alter content or configuration, and disrupt service availability.
NIST also identifies the underlying weakness as CWE-285, improper authorization. Microsoft has not published technical exploit details or a proof of concept, which is welcome, but the patch itself gives researchers a target for reverse engineering. Security teams should treat the window after Patch Tuesday as a period when technical detail can emerge quickly.

The Patch Arrived on the Products’ Final Support Date​

There is an uncomfortable calendar detail behind this update. Microsoft lists July 14, 2026 as the extended-support end date for both SharePoint Server 2016 and SharePoint Server 2019. CVE-2026-58277 was published on that same date.
That makes the July package especially important: it appears to be among the final security updates organizations can expect for these major SharePoint Server generations. Applying it closes this disclosed flaw, but it does not solve the broader operational problem of leaving a collaboration platform without future security fixes.
Microsoft’s lifecycle documentation says SharePoint Server 2016 reached extended-support end on July 14, while SharePoint Server 2019 follows the same date. Microsoft previously advised SharePoint 2019 customers to move directly to SharePoint Server Subscription Edition rather than plan another legacy-version upgrade.
For many enterprises, that migration is not a small project. SharePoint custom solutions often depend on farm solutions, legacy workflows, custom authentication configurations, content databases, SQL Server versions, Office Online Server, and line-of-business integrations. But this CVE turns the migration roadmap from a future-planning discussion into a measurable residual-risk decision.

Confirm the Correct Update, Not Just a “July Patch”​

Microsoft’s July 2026 Office update index lists separate SharePoint packages for the supported product lines. For the two versions affected by CVE-2026-58277, the relevant packages are:
  • SharePoint Server 2016 uses the July 14 security update KB5002891, with KB5002892 also listed for the SharePoint Server 2016 Language Pack.
  • SharePoint Server 2019 uses the July 14 security update KB5002883, with KB5002885 listed for the SharePoint Server 2019 Language Pack.
  • SharePoint Server Subscription Edition has its own July 14 package, KB5002882, but it is not listed as affected by CVE-2026-58277.
NIST lists SharePoint Server 2016 builds below 16.0.5561.1001 as vulnerable and SharePoint Server 2019 builds below 16.0.10417.20175 as vulnerable. Those are the useful compliance thresholds for inventory and post-deployment validation, especially where WSUS, Microsoft Endpoint Configuration Manager, or third-party patch tools report KB status inconsistently across farm nodes.
As with any SharePoint public update, install the update consistently across every server in the farm and run PSConfig after deployment. A binary-only rollout that leaves the SharePoint configuration database and server configuration steps incomplete is not a finished remediation.
Organizations should also assess whether they have split-role farms, standby disaster-recovery servers, disconnected administrative nodes, or development farms cloned from production. Those systems are frequently missed in routine patch reporting, even though their service accounts, content copies, and trust relationships can create a path back into production.

Patch First, Then Look for Unexpected Permission Changes​

CISA’s SSVC enrichment for CVE-2026-58277 currently records exploitation as “none” and automation as “no.” That is not a declaration that exploitation can never occur; it means there was no known exploitation signal in the data used for the assessment at publication time. The CVSS score and the vulnerability’s low-privilege requirement still justify rapid treatment.
The immediate response should focus on patching, but SharePoint administrators should also review activity that would be suspicious if an authorized account had acquired extra rights. Useful checks include recently elevated site collection administrators, unexpected changes to SharePoint or Active Directory groups, new app principals or service accounts, modified permissions on sensitive libraries, and unusual access to Central Administration.
Logging quality will determine how far that review can go. Preserve IIS logs, SharePoint ULS logs, Windows Security logs from web front ends and application servers, and relevant Active Directory audit events before normal retention rolls them over. Where Defender for Endpoint or a SIEM is present, correlate SharePoint account activity with logons, PowerShell execution, process starts, and outbound connections from farm servers.
There is no indication from Microsoft or NIST that this particular CVE is under active exploitation as of July 15. Still, the combination of a high impact score, network reachability, low required privileges, and the end of support for both affected product versions makes “wait for the next maintenance cycle” the wrong response.
The July 14 updates close CVE-2026-58277 for SharePoint Server 2016 and 2019. From July 15 onward, the more difficult question is whether the farm receiving that patch has a supported future at all.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
  2. Related coverage: caloes.ca.gov
  3. Related coverage: windowscentral.com
  4. Related coverage: techradar.com
  5. Related coverage: itpro.com
  6. Official source: support.microsoft.com
 

Back
Top