CVE-2026-55040
Microsoft SharePoint Server Security Feature Bypass Vulnerability
Description
Weak authentication in Microsoft Office SharePoint allows an unauthorized attacker to bypass a security feature over a network.
In plain language
AI Act nowCVE-2026-55040 is a SharePoint Server security bypass that lets an attacker access (and possibly change) protected information over the network without logging in; if you run SharePoint Server 2016/2019/Subscription Edition, you should treat this as urgent and update to the fixed versions.
CVE-2026-55040 is a security feature bypass in Microsoft SharePoint Server (Enterprise 2016, Server 2019, and Subscription Edition) that can be reached over the network without authentication, allowing an attacker to obtain sensitive data and potentially modify information due to weak authentication.
What to do now
- Check which Microsoft SharePoint Server product you run (2016, 2019, or Subscription Edition) and confirm the currently installed patch level.
- If you are on an affected version, upgrade SharePoint to the fixed versions listed below.
- After updating, verify your SharePoint patch level matches the fixed version for your edition and review relevant access/activity logs for unusual requests.
CVSS Vector Breakdown
AV:NAttack VectorAC:LAttack ComplexityPR:NPrivileges RequiredUI:NUser InteractionS:UScopeC:HConfidentialityI:HIntegrityA:NAvailabilityWeaknesses
Affected Products
Exploitability
References
- CISA Urges Immediate Patching of Exploited SharePoint Vulnerabilitiesen-us·SecurityWeek· Summary only·
- Цунами уязвимостей: июльский Microsoft Patch Tuesdayru-ru·Kaspersky Daily (RU)· Summary only·
- Researcher Drops New Windows Zero-Day PoC Hours After Microsoft Patch Tuesdayen·The Hacker News·
- AI-driven bug hunting fuels record Microsoft Patch Tuesdayen-us·Help Net Security·
- CISA warns admins to patch actively exploited SharePoint flawsen-us·BleepingComputer·
- Microsoft and Adobe Patch Tuesday, July 2026 Security Update Reviewen-us·Qualys Security Blog·
- Microsoft Patch Tuesday for July 2026 — Snort rules and prominent vulnerabilitiesen·Cisco Talos·
- Microsoft Patches Record 622 Flaws, Including Two Zero-Days Under Active Attacken·The Hacker News·
- Microsoft Patch Tuesday July 2026 - The AI Acopolypse is Hereen·SANS Internet Storm Center·
- Microsoft July 2026 Patch Tuesday fixes massive 570 flaws, 3 zero-daysen-us·BleepingComputer·
Unlock Complete Vulnerability Intelligence
Get the full picture for CVE-2026-55040 and every CVE in our database. Create a free account — no credit card required.
Create Free Account