On July 14, 2026, Microsoft pushed out security updates that fix CVE-2026-55040, a critical authentication-bypass vulnerability in on‑premises SharePoint Server. The flaw, rated CVSS 9.1, lets a remote, unauthenticated attacker impersonate any known SharePoint site user—including an administrator—without needing a password, a token, or any user interaction. Security researchers at Rapid7 discovered the bug and warn that it can be chained with a second, yet‑unpatched vulnerability to achieve full remote code execution.
For the thousands of organizations still running SharePoint Server 2016, 2019, or Subscription Edition on their own hardware, this isn’t just another Patch Tuesday. The July update closes the most pressing door, but it doesn’t lock the whole house. Administrators have a narrow window to fix the impersonation problem before details of the companion bug surface, and the same day these patches shipped also marked the end of extended support for both SharePoint Server 2016 and 2019.
What the Patch Fixes
CVE-2026-55040 sits inside the part of SharePoint that validates JSON Web Tokens used to establish a user’s identity. Rapid7 researcher Stephen Fewer found that the validation logic can be tricked. An attacker who knows a valid user’s identity—a User Principal Name (UPN), which often looks exactly like an email address, or an Active Directory Security Identifier (SID)—can craft a request that SharePoint mistakes for a legitimate sign‑in by that user.
No prior access is needed. No stolen session cookies are required. The attack works from the internet against a vulnerable SharePoint farm, and Rapid7’s proof‑of‑concept demonstrated successfully enumerating potential targets and then impersonating a site collection administrator.
Once inside, the attacker inherits every permission of the chosen identity. That can mean viewing or downloading sensitive documents, editing list data, changing site settings, or taking control of administrative features. Microsoft’s CVSS vector scores the impact on confidentiality and integrity as “high,” though the bug by itself is not rated as directly affecting availability.
Affected products are confined to on‑premises SharePoint Server. SharePoint Online is not vulnerable. The precise build boundaries are:
| Product | Vulnerable if older than | Fixed build (after July 2026 update) |
|---|---|---|
| SharePoint Enterprise Server 2016 | 16.0.5561.1001 | 16.0.5561.1001 |
| SharePoint Server 2019 | 16.0.10417.20175 | 16.0.10417.20175 |
| SharePoint Server Subscription Edition | 16.0.19725.20434 | 16.0.19725.20434 |
The update packages themselves are KB5002882 for Subscription Edition, KB5002883 (and the language pack KB5002885) for 2019, and KB5002891 plus KB5002892 for 2016.
The Second Bug Hides in Plain Sight
Rapid7’s research began as an entry for Pwn2Own Berlin. The team found two vulnerabilities that, together, form a zero‑interaction, unauthenticated exploit chain. The first stage is the authentication bypass now tracked as CVE-2026-55040. The second stage is a remote‑code‑execution bug that Rapid7 has not yet publicly detailed.
Microsoft and Rapid7 agreed to split the fix across two monthly servicing cycles. The authentication bypass landed in July, and the RCE component is scheduled for August 2026. That sequencing means a fully patched July installation still runs a vulnerable SharePoint server if the second flaw remains unaddressed. An attacker who has already impersonated a user cannot execute arbitrary code through CVE-2026-55040 alone, but the research confirms that combining it with the still‑undisclosed bug completely breaks the server’s security boundaries.
Rapid7 is holding technical details under a 30‑day coordinated-disclosure window requested by Microsoft, with a caveat: if active exploitation appears in the wild or another party publishes the mechanics, Rapid7 may release earlier. As of July 15, Microsoft and CISA had not reported any known exploitation of CVE-2026-55040, but the existence of an incomplete attack chain sharply limits the comfort that statement provides.
What This Means for Your Organization
If you run an on‑premises SharePoint farm that is reachable from the internet—or even from a moderately permissive corporate network—the practical risk is immediate. Impersonating a user with read‑only rights still exposes any document that user can open. Impersonating an administrator hands over the keys to site configuration, permissions management, and any custom workflows or business processes tied to SharePoint.
For organizations still on SharePoint 2016 or 2019, the timing packs a second punch. Both products exited extended support on July 14, 2026—the very same day the CVE-2026-55040 patches shipped. Installing KB5002891 or KB5002883 closes this particular vulnerability, but it does not extend the product lifecycle. No further security updates are guaranteed after this release. A SharePoint 2016 farm is now permanently unsupported, and any flaw discovered after July 14 lands on administrators to mitigate without a vendor fix.
SharePoint Server Subscription Edition remains in full support and will receive the August RCE patch. For shops that can’t immediately migrate, the path forward is defensive hardening until a plan is in place.
How We Got Here
Rapid7 reported the full exploit chain to Microsoft on May 18, 2026. Microsoft confirmed the findings two days later. The decision to split the fix was a calculated one: patch the authentication bypass in July, even though it’s only the first link in the chain, rather than wait until August to deliver both fixes together. That trade‑off gives attackers half a chain for about a month, but it also closes the most easily exploitable entry point for any adversary who hasn’t already discovered the second bug.
Coordinated vulnerability disclosure often works this way when flaws are chained. By shipping a partial fix, Microsoft forces would‑be attackers to find or develop a new weapon for the remaining step, raising the bar from “copy‑paste a proof‑of‑concept” to active vulnerability research. Still, administrators should treat July’s patch as an incomplete remedy and plan for another maintenance window in August.
What to Do Now
SharePoint patching is not a simple double‑click installer. Every server in a farm must receive the update, run the SharePoint Products Configuration Wizard (or its command‑line equivalent, PSConfig.exe), and then report the new build number before the farm is considered safe. A machine that shows an installed Windows update but hasn’t finished the SharePoint post‑update configuration is still vulnerable.
1. Apply the correct update packages.
- SharePoint Server Subscription Edition: KB5002882
- SharePoint Server 2019: KB5002883 (plus the language‑pack update KB5002885 if needed)
- SharePoint Enterprise Server 2016: KB5002891 and KB5002892
2. Handle known deployment caveats.
- If your farm uses SharePoint Workflow Manager, install KB5002799 before the cumulative update for Subscription Edition.
- After running the Configuration Wizard on Subscription Edition, Microsoft instructs administrators to set DisableActorTokenAudienceValidation to true via PowerShell. This disables a new defense‑in‑depth validation feature still under development that can cause a regression; existing token validation checks remain in place. Document this step and include it in your change plan—do not skip it.
3. Update every server in the farm.
Each front‑end, application, and search server needs the packages and the Configuration Wizard run. A partially updated farm is exploitable if an attacker reaches a vulnerable entry point. Rotate servers out of load‑balancer rotation individually, patch and configure them, then bring them back once the build number proves the update took effect.
4. Verify the new build numbers.
Use Central Administration or Get-SPProduct -Local in PowerShell. The expected builds after July 2026 are:
- Subscription Edition: 16.0.19725.20434
- 2019: 16.0.10417.20175
- 2016: 16.0.5561.1001
5. Test and monitor.
After patching, test core workflows, custom solutions, and authentication scenarios. Review SharePoint and IIS logs for unusual access patterns, especially authentication events that map to privileged identities from unexpected IP addresses.
6. Reduce exposure—especially for unsupported versions.
- Remove direct internet access to SharePoint farms if at all possible. Use VPNs, reverse proxies with strict rules, or Azure AD Application Proxy to control ingress.
- Audit and remove unnecessary accounts. Eliminate old site collection administrators and service accounts that are no longer needed.
- Enable‑intensive logging for authentication events, and set alerts for any activity from administrative accounts during anomalous hours.
7. Plan for the next patch.
August 2026 will bring the RCE fix. Schedule a maintenance window now. If you postponed the July update, you’ll need to apply both the July and August packages together and run the Configuration Wizard twice.
Outlook
Until Rapid7 publishes the full technical write‑up—which could happen as early as mid‑August, sooner if exploitation appears—the only trustworthy defense is a completed July patch on every SharePoint server in your organization. Organizations still running SharePoint 2016 or 2019 should treat the July update as a last‑resort security blanket and begin migration planning in earnest, because unsupported server software running in a production network is an invitation that becomes impossible to decline after the August RCE details land.
SharePoint Online users can sit this one out. For everyone else, the clock is already ticking on both the patching week and the countdown to the second half of the attack chain.