Microsoft patched CVE-2026-55040 on July 14, 2026, as part of its record-breaking Patch Tuesday. The flaw allows an unauthenticated attacker to bypass SharePoint’s JSON Web Token (JWT) authentication and impersonate any user — including site administrators. What makes this vulnerability especially urgent is that it is the first half of a two-CVE remote code execution chain discovered by Rapid7 at Pwn2Own Berlin. The second vulnerability in the chain is still under embargo and will not be patched until August 2026. If you run on-premises SharePoint Server, applying the July 2026 cumulative updates now closes the door before the second half of the attack is made public.
What the Vulnerability Is
CVE-2026-55040 is a security feature bypass in SharePoint Server’s JWT token validation logic. JWT tokens are the signed credentials SharePoint uses to prove a user’s identity between requests. A flaw in how the server validates these tokens allows a remote, unauthenticated attacker to forge a token that SharePoint accepts as legitimate — effectively letting the attacker claim to be any account whose username, SID, or UPN (User Principal Name) they can identify.
The vulnerability was discovered by Stephen Fewer, Senior Principal Security Researcher at Rapid7, during the Pwn2Own Berlin 2026 competition, and disclosed to Microsoft in coordinated fashion. Rapid7 assigns it a CVSS score of 5.3 Medium, reflecting that an attacker must know the target identity’s account name or SID to exploit it. Some secondary sources have reported a CVSS of 9.1 Critical; Rapid7, as the original discoverer and discloser, is the authoritative source and the 5.3 figure is used here.
The vulnerability is classified as a Security Feature Bypass (SFB) rather than a direct RCE flaw. On its own it lets an attacker authenticate as any SharePoint user. The real danger is what it enables next.
Why It Matters
This is part one of a two-exploit remote code execution chain.
Rapid7’s Adam Barnett described it plainly: CVE-2026-55040 is the first in a pair of exploits which, when chained together, can lead to unauthenticated remote code execution against a vulnerable SharePoint server. The second vulnerability — which completes the RCE chain — remains embargoed and is expected to be patched in August 2026.
That timeline creates a specific risk window:
- Now through August Patch Tuesday: An attacker who can identify a valid SharePoint account name can authenticate as that account. If they chain a yet-to-be-public RCE technique with this bypass, they could achieve full server compromise without any valid credentials.
- After August Patch Tuesday: Rapid7 will likely publish its full technical write-up, making the complete chain public. Unpatched servers will face a well-documented, weaponizable RCE exploit.
Microsoft has already responded to a broader pattern of SharePoint exploitation. On July 14, 2026, CISA issued an alert urging organizations to apply additional SharePoint hardening measures, citing active exploitation of other recently patched SharePoint flaws (CVE-2026-32201 and CVE-2026-45659). CVE-2026-55040 has not yet been observed in active exploitation as of this writing, but that picture can change quickly once the embargoed second CVE becomes public.
Am I Affected?
You are affected if you run any of the following on-premises SharePoint Server versions and have not yet applied the July 2026 cumulative updates:
- SharePoint Server Subscription Edition
- SharePoint Server 2019
- SharePoint Server 2016
SharePoint Online (Microsoft 365) is managed by Microsoft and is not affected — no action is needed for cloud-hosted tenants.
To check your version: In SharePoint Central Administration, go to Upgrade and Migration → Review database status or check the build number against Microsoft’s published update history. Any build predating the July 2026 cumulative update is vulnerable.
What to Do About It: Step-by-Step
1. Apply the July 2026 SharePoint cumulative updates immediately.
- Download updates via Windows Server Update Services (WSUS), Microsoft Update Catalog, or the Microsoft Download Center.
- Update all servers in your SharePoint farm: front-end web servers, application servers, and any server running SharePoint services.
- Run the SharePoint Products Configuration Wizard (PSConfig) on each server after patching to complete the upgrade.
- Verify your new build number against Microsoft’s SharePoint update reference to confirm the patch applied successfully.
2. Enable the Antimalware Scan Interface (AMSI) integration on SharePoint.
- Microsoft notes AMSI as a secondary mitigation that can detect and block certain SharePoint-based attacks.
- Enable via SharePoint Management Shell:
Enable-SPFeature -Identity "AmsiIntegration" -Url http://<your-sharepoint-site> - This does not replace patching but adds a detection layer.
3. Audit SharePoint accounts for exposure.
- Review which account names, SIDs, and UPNs might be discoverable by external parties (e.g., through OSINT, leaked directory data, or public-facing SharePoint search).
- Consider enforcing additional authentication controls at the perimeter (reverse proxy, WAF, VPN requirement) for SharePoint access until the August patch cycle closes the full RCE chain.
4. Monitor for suspicious SharePoint authentication events.
- Look for authentication activity from unexpected IP addresses or at unusual hours.
- Alert on any account accessing SharePoint that hasn’t authenticated recently or at all.
5. Plan for the August 2026 patch cycle.
- The second CVE in the RCE chain will be patched in August 2026. Set a reminder to apply it immediately upon release — do not wait for your normal patch window.
Quick-Win Checklist
- Confirm SharePoint Server version and identify whether the July 2026 cumulative update has been applied.
- Download and apply the July 2026 cumulative update for your SharePoint version (SE, 2019, or 2016).
- Run PSConfig on every server in the farm to complete the patch.
- Enable AMSI integration on SharePoint as an additional detection layer.
- Place SharePoint behind VPN or WAF to limit unauthenticated public exposure.
- Review and audit externally visible SharePoint account names / UPNs.
- Set a calendar reminder for August 2026 Patch Tuesday to close the second half of the RCE chain.