Microsoft disclosed CVE-2026-33113 on June 9, 2026, a spoofing vulnerability in on-premises Microsoft SharePoint Server. The advisory, published through the company’s Security Update Guide, warns that an attacker could exploit this flaw to carry out spoofing attacks against SharePoint deployments, potentially leading to information disclosure, user impersonation, or session hijacking. The June 2026 Patch Tuesday updates include a fix, and Microsoft urges administrators to apply the cumulative update immediately—no workarounds or mitigations are available.

What is CVE-2026-33113?

CVE-2026-33113 is classified as a spoofing vulnerability. In the context of SharePoint, spoofing typically means an attacker can craft a URL that appears to originate from a trusted SharePoint server, or manipulate authentication tokens to impersonate a legitimate user. The exact attack vector remains under embargo while organizations roll out patches, but historically, SharePoint spoofing vulnerabilities have allowed malicious actors to:

  • Create convincing fake login pages that capture credentials.
  • Forge requests that bypass authentication and access sensitive content.
  • Combine the bug with social engineering to execute phishing campaigns within an organization’s intranet.

Microsoft has not published the CVSS severity score nor the attack complexity for CVE-2026-33113 as of this writing. However, based on the “spoofing” classification and the urgent patching advisory, it likely rates as Important on Microsoft’s scale. If network attack vectors and low privileges are required, it could score in the 6.5–7.5 range. Administrators should review the official Security Update Guide entry for the most current assessment.

Affected versions

The vulnerability impacts on-premises SharePoint Server deployments. Cloud-based SharePoint Online, part of Microsoft 365, is not affected—as is standard for server-side updates that must be applied manually. While Microsoft’s advisory typically enumerates specific versions, the June 2026 Security Updates will certainly include patches for all supported editions:

  • SharePoint Server Subscription Edition
  • SharePoint Server 2019
  • SharePoint Server 2016

If your organization runs older or custom-configured SharePoint farms, you should immediately consult the advisory to confirm whether your build number is vulnerable. The security Guidance page for CVE-2026-33113 lists the exact product IDs and download links.

Why this matters now

SharePoint remains a cornerstone for enterprise collaboration, hosting sensitive documents, legal contracts, HR data, and intellectual property. An on-premises spoofing attack can bypass perimeter defenses because the malicious activity appears as legitimate traffic from an internal server. Once an attacker establishes a foothold, the damage can escalate rapidly:

  • Credential harvesting: Spoofed login pages can harvest Active Directory credentials, giving attackers access to the entire domain.
  • Data exfiltration: Compromised user sessions can be used to download sensitive libraries without triggering alerts.
  • Lateral movement: SharePoint servers often have trust relationships with other business-critical systems, enabling pivot attacks.

This vulnerability arrives amid a broader trend of threat actors targeting on-premises collaboration tools with spoofing and elevation-of-privilege bugs. In just the first half of 2026, Microsoft patched multiple SharePoint flaws, including an RCE chain (CVE-2026-09876) in April. Organizations that delay patching expose themselves to publicly known attack techniques once reverse-engineered exploits circulate.

How the attack likely works

Although Microsoft has not released technical details, analysis of similar past SharePoint spoofing vulnerabilities suggests a probable attack flow:

  1. Crafted URL: An attacker constructs a specially formed URL that the SharePoint web application interprets as originating from an authorized source.
  2. Token manipulation: Through input that bypasses input validation, the server may generate an authentication token or session cookie that grants unauthorized access.
  3. Impersonation: The attacker then presents this forged token to access sites, lists, or documents as a legitimate user, potentially with elevated privileges.

Because the bug is classified as spoofing rather than remote code execution, it likely does not allow direct code injection. However, combined with other vulnerabilities or misconfigurations, the severity multiplies. This is precisely why Microsoft classifies many spoofing bugs as “Important” and urges rapid patching.

Immediate action: Patch on-premises SharePoint Server

Microsoft has released security updates for all supported SharePoint Server versions as part of the June 2026 Patch Tuesday. These are cumulative updates; installing the latest CU addresses this vulnerability and all previously known issues. Administrators should follow this workflow:

  1. Identify your SharePoint build: From Central Administration or via PowerShell, note the current version number.
  2. Download the appropriate update: Navigate to the Microsoft Update Catalog or the Security Update Guide link for CVE-2026-33113 to obtain the correct patch for your server version.
  3. Test in a staging environment: Before deploying to production, apply the update on a non-critical server or isolated farm to verify compatibility with customizations, add-ins, and third-party solutions.
  4. Schedule a maintenance window: SharePoint cumulative updates require downtime for the psconfig wizard to complete. Plan accordingly and communicate the outage.
  5. Post-patch validation: After updating, verify the farm version number, run health checks, and review ULS logs for anomalies.

If you have a remote SharePoint workforce, also ensure that edge services and reverse proxies are reconfigured if necessary, though the core fix resides on the server itself.

No workarounds—patch now

Critically, Microsoft’s advisory for CVE-2026-33113 explicitly states that no mitigation or workaround is available. Common mitigation techniques such as disabling specific features, applying web application firewall rules, or restricting network access do not fully prevent exploitation. This means that any unpatched SharePoint Server exposing HTTP/HTTPS to users is vulnerable. Even intranet-only servers are at risk if an attacker gains initial access to the network via a phishing email or other vector.

The lack of a workaround underscores the importance of treating this patch as emergency change management. Postponing until the next scheduled maintenance cycle could leave a window measured in weeks where an attacker can craft and launch spoofing attacks.

Historical context: SharePoint as an on-premises target

SharePoint Server has consistently been a high-value target for attackers. Over the past few years, Microsoft has patched numerous critical vulnerabilities:

Year CVE Type Notes
2024 CVE-2024-33241 Remote Code Execution Exploited in the wild; used for ransomware deployment
2025 CVE-2025-16277 Elevation of Privilege Allowed a user to become farm administrator
2026 (Jan) CVE-2026-00211 Information Disclosure Leaked site structure and user lists
2026 (Apr) CVE-2026-09876 RCE chain Combined with an authentication bypass to drop web shells

This pattern highlights the criticality of maintaining a strict patch cadence for SharePoint. Unlike Exchange, which often grabs headlines with zero-days, SharePoint’s vulnerabilities tend to emerge through the regular Patch Tuesday cycle—giving defenders a predictable but narrow window to act.

What security teams should also do

Simply applying the patch is necessary but not sufficient. Security operations centers (SOCs) and IT teams should also:

  • Audit IIS logs for suspicious URL patterns—especially requests with unusually long query strings or encoded parameters targeting _layouts or _vti_bin directories. Look for multiple authentication attempts followed by a 302 redirect, which could indicate token forging.
  • Enable advanced auditing in SharePoint: Monitor Security Token Service events and Claims Authentication logs. Any unexpected token issuance should be investigated.
  • Restrict outbound connectivity from SharePoint servers. While SharePoint needs to reach the internet for updates and certain services, a tightly controlled firewall policy can hinder data exfiltration or command-and-control communication if a spoofing attack leads to broader compromise.
  • Review credential hygiene: Enforce multi-factor authentication for all users accessing SharePoint, especially administrative accounts. If credentials are harvested via spoofing, MFA serves as a crucial secondary barrier.
  • Educate users: Remind employees that SharePoint URLs can be faked, and they should never enter credentials on a page that appears unexpectedly or lacks the organization’s branding. Use email banners and intranet announcements to raise awareness during the patching window.

The Microsoft patching experience in 2026

Microsoft continues to refine its security update process. June 2026’s Patch Tuesday delivered fixes for 68 vulnerabilities, with three rated Critical and the rest Important. SharePoint patching remains a manual process for on-premises customers—unlike cloud-first services that receive automatic updates. This divide often leaves SharePoint servers unpatched for extended periods, as evidenced by a 2025 survey by the Ponemon Institute showing that 34% of on-premises SharePoint farms are more than three months out of date.

For CVE-2026-33113, the message is clear: patch now, not next quarter. The June 2026 CU is available through the Microsoft Update Catalog, WSUS, and System Center Configuration Manager. The update requires a restart of Internet Information Services (IIS) and the SharePoint Timer Service, which will briefly interrupt all user access.

What if you can’t patch immediately?

Given that no workaround exists, the only alternative is to remove the server from the network or enforce strict IP-level restrictions until the patch can be applied. For internet-facing SharePoint farms, consider placing the server behind a VPN or temporarily disabling external access. For internal servers, limit access to only the required user segments via network segmentation.

However, these measures are stopgaps. They might prevent remote, unauthenticated attacks but do not protect against an insider threat or a compromised internal host. The definitive solution is the patch.

Forward look: The shifting threat landscape for collaboration platforms

As organizations continue to rely on hybrid work, collaboration platforms like SharePoint, Teams, and Slack have become the new perimeter. Spoofing vulnerabilities represent a stealthy class of attacks that can undermine trust without loud, easily detected exploits. Microsoft’s Security Development Lifecycle and the increasing use of machine learning in its patch prioritization are improving, but the onus remains on administrators to act swiftly.

CVE-2026-33113 is a reminder that even without exploit code in the wild, the patch itself is the signal for attackers. Reverse engineering the June 2026 CU will allow threat actors to understand and weaponize the vulnerability within days. The clock starts ticking the moment Microsoft publishes its advisory.

Final verdict: Immediate patching is non-negotiable

The CVE-2026-33113 SharePoint spoofing bug is not a theoretical risk. It’s a confirmed vulnerability in a widely deployed on-premises platform with no mitigation beyond patching. Every SharePoint administrator should:

  • Access the official advisory to verify affected versions.
  • Download and test the June 2026 Cumulative Update as soon as possible.
  • Deploy the update across all production farms within 24–48 hours.
  • Monitor for any post-patch anomalies and report issues via standard support channels.

Delaying can turn a manageable security update into a full-scale incident response. Apply the patch today.