CVE Tools

CVE-2026-56155

Active Directory Federation Services Elevation of Privilege Vulnerability

Published: Jul 14, 2026Updated: Jul 15, 2026 Sources: CVE List NVDCWE-1220

Description

Insufficient granularity of access control in Active Directory Federation Services (AD FS) allows an authorized attacker to elevate privileges locally.

In plain language

AI Act now

CVE-2026-56155 is a local privilege-escalation flaw in Active Directory Federation Services (ADFS) that has already been used in real attacks, so if your business runs ADFS on affected Windows versions, you should act now.

Executive summary

CVE-2026-56155 is a privilege escalation in Active Directory Federation Services (ADFS) (CWE-1220) where insufficient access control allows a local attacker with low-level permissions to gain higher privileges; Microsoft and CISA have confirmed it is being exploited in the wild.

If affected, business impact
Full takeover of the affected hostCredential theft and lateral movementService disruption for sign-in flowsHigh risk of ransomware follow-on

What to do now

  1. Check whether you run Active Directory Federation Services (ADFS) on any of these systems: Windows 10; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server 2019; Windows Server 2022; Windows Server 2025.
  2. For each affected system, look up the current installed build/patch level and compare it to the fixed versions below.
  3. Immediately install the vendor fix for each impacted Windows version (use Windows Update or the Microsoft update guide) and confirm the system reaches the fixed build.
  4. If you cannot patch right away, follow Microsoft/CISA mitigation guidance from the Microsoft update guide, and consider temporarily limiting access to ADFS-related services per vendor instructions.
Patch / advisory Usually a quick update

CVSS Vector Breakdown

AV:LAC:LPR:LUI:NS:UC:HI:HA:H
Exploitability
AV:LAttack Vector
Local
AC:LAttack Complexity
Low
PR:LPrivileges Required
Low
UI:NUser Interaction
None
Scope
S:UScope
Unchanged
Impact
C:HConfidentiality
High
I:HIntegrity
High
A:HAvailability
High

Weaknesses

Affected Products

and 13 more affected products View all →

Exploitability

CISA Known Exploited Vulnerability
Added to KEV:Jul 14, 2026
Remediation due:Jul 28, 2026

Required action: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

Official Patch Available

References

12
See all →

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2026-56155 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows