Microsoft fixed a spoofing vulnerability in its on-premises SharePoint servers on July 14, 2026. The patch lands for SharePoint Server 2016, 2019, and Subscription Edition under CVE-2026-55020. But if your farm uses SharePoint Workflow Manager, you have an extra hoop to jump through: KB5002799 must be installed before you touch the cumulative update.
Administrators who skip that step risk breaking workflow services and leaving the door open to impersonation attacks that could erode user trust in internal portals. The flaw is rated “confirmed” by Microsoft’s researchers, meaning they’ve reproduced it—not that attackers are actively swinging at it. Yet. Here’s what changed, why it matters to your organization, and how to stage a clean deployment.
What the Spoofing Flaw Actually Does
Microsoft hasn’t published a technical walkthrough or proof-of-concept for CVE-2026-55020. The advisory tags it as a spoofing vulnerability with “confirmed” report confidence. That means the security team verified the bug exists and can be recreated in a lab; it does not indicate exploitation in the wild.
Spoofing in SharePoint’s context is not about remote code execution or direct server takeover. Instead, an attacker could manipulate identity signals or content to appear more trustworthy than they really are. Think forged links, impersonation of trusted internal pages, or misleading metadata that tricks users into handing over credentials or executing harmful actions. Because a SharePoint portal sits inside the corporate firewall and often houses sensitive documents, people click with far less hesitation than on an external site.
The absence of public exploit details cuts both ways. Defenders can’t scan IIS logs for a known pattern or bad endpoint, so patch deployment is the only reliable remediation. But it also means opportunistic attackers haven’t yet reverse-engineered the fix—assuming the update contains the only public clue. That window won’t stay open long.
Which Servers Need the Update Today
The July security rollups cover three on-premises generations still in support. Each gets a distinct KB package and build number:
| SharePoint Version | KB Number | Build Number |
|---|---|---|
| SharePoint Server Subscription Edition | KB5002882 | 16.0.19725.20434 |
| SharePoint Server 2019 | KB5002883 | 16.0.10417.20175 |
| SharePoint Server 2016 | KB5002891 | 16.0.5561.1001 |
These are cumulative updates. They supersede previous releases—KB5002873 for Subscription Edition and KB5002874 for SharePoint Server 2019—so you don’t need to install old patches first. But you do need to run the SharePoint Products Configuration Wizard (or PSConfig) on each server in the farm after installing the binaries. Only then do databases and features complete their upgrade sequence. Checking the farm’s health via Central Administration, Get-SPProduct -Local, and upgrade-status pages is mandatory.
Crucially, the July rollup bundles fixes for multiple vulnerability classes: remote code execution, elevation of privilege, information disclosure, security feature bypass, and spoofing. Even if you consider spoofing a lower priority, the cumulative patch closes other high-severity holes.
The Workflow Manager Prerequisite: KB5002799 Comes First
Farms using SharePoint Workflow Manager face a strict ordering requirement. Microsoft’s guidance says to install KB5002799 before the July SharePoint security update. This Workflow Manager update dates back to November 11, 2025, and bumps the component to build 16.0.19127.20336.
The prerequisite isn’t optional. Skipping it can break workflows or leave the farm in an unsupported state after the cumulative patch. The update must be applied consistently across all servers running Workflow Manager and all SharePoint servers that interact with those workflows.
A further twist: if you’re still on the Classic Workflow Manager (often tied to SharePoint 2010 or 2013-style workflows), you need extra steps. After installing KB5002799, add server debug flag 53601, update the farm object, and restart IIS. The July patches also repair a regression from June 2026 that stopped SharePoint 2010 workflows from starting—so even if you don’t care about spoofing, this update restores broken automation in 2019 and Subscription Edition.
Subscription Edition admins face one more post-installation tweak. After running PSConfig, you should execute a PowerShell command to disable an in-development defense-in-depth feature for actor-token audience validation, which can cause a regression. Microsoft says existing actor-token validation remains active, but the workaround must be documented as a temporary security configuration change and revisited when guidance updates.
How We Got Here: A Year of Cumulative SharePoint Changes
The July 2026 patch set lands in a year where SharePoint updates have grown increasingly complex. Microsoft’s march toward the modern experience and cloud hybrid features has added unfamiliar dependencies, especially around Workflow Manager. The November 2025 Workflow Manager update, KB5002799, was originally a standalone release; now it’s a required stepping stone for security fixes.
June’s regression that broke classic workflows added urgency. It meant many shops were already nursing broken processes when the July security updates arrived. By rolling the spoofing fix and workflow repairs into one package, Microsoft forces a full-plate approach: you either take the whole cumulative update or you miss security and functionality fixes.
Limited disclosure of the spoofing mechanism fits Microsoft’s standard playbook for vulnerabilities with “confirmed” confidence but no known attacks. The company rarely releases deep technical detail until they see active exploitation or third-party research forces their hand. That keeps script-kiddies at bay but leaves admins on high alert, combing through logs for anything that looks like impersonation—even though they don’t know exactly what to look for.
Action Plan: Patch Now, But Validate Everything
-
Inventory your farm. Identify every SharePoint server, its role, and whether Workflow Manager is present. Note the current patch level and any pending restarts.
-
If you use Workflow Manager, download and install KB5002799 now—across all relevant servers—before touching the July cumulative. Apply the debug flag and farm object changes if using Classic Workflow Manager. Test workflow initiation in a staging environment.
-
Grab the correct KB for your SharePoint version (see table above) and install it on all farm servers. Don’t forget search servers, application servers, and any dedicated front-ends.
-
Run PSConfig or the SharePoint Products Configuration Wizard on every server. Confirm that databases and services upgrade cleanly. Check Central Administration for “Database or Services are required upgrade” messages.
-
For Subscription Edition farms, execute the documented PowerShell command to temporarily disable the actor-token audience validation feature. Document the change; you’ll want to re-enable it once Microsoft resolves the regression.
-
Validate beyond the build number. Test authentication (claims, Windows, forms-based), document access, search crawling, service applications, Office document rendering, timer jobs, and workflow initiation. Review ULS logs and SharePoint health analyzer warnings.
-
Monitor for suspicious activity. While you can’t detect CVE-2026-55020 directly, look for unusual redirects, unexpected content changes, or links that appear to originate from trusted internal sites. These could indicate broader spoofing attempts.
Custom web parts, third-party solutions, and authentication providers deserve extra scrutiny. KB5002883 for SharePoint Server 2019 introduces a new farm property, AllowedTagPrefixesWhichAreNotWebControlsList, that lets you explicitly trust user controls previously flagged as unsafe. If your farm relies on legacy controls, you may need to reconfigure that property post-update to avoid broken pages.
What to Watch Next
Microsoft hasn’t said when—or if—it will publish exploit details for CVE-2026-55020. Keep an eye on the MSRC advisory for updates. More importantly, the in-development actor-token validation feature in Subscription Edition suggests Microsoft may eventually ship a stronger defense against token-based spoofing. When that happens, you’ll want to remove the temporary workaround.
SharePoint cumulative updates for August and beyond will likely build on this month’s prerequisites. If your farm was patched quickly, you’ll be in a strong position. If you delayed, the technical debt will compound. The spoofing vulnerability is a reminder that even “just trust” flaws can be weaponized inside an intranet, and the patch cycle is only as good as your verification process.