CVE-2026-56164 – Microsoft SharePoint Server Elevation of Privilege Vulnerability

CVSS 5.3 MODERATE Critical or Zero Day – Immediate Deployment

“An internet-facing server without proper authentication can give attackers an open door where there should only be a locked gate.”

A missing authentication vulnerability in Microsoft SharePoint Server allows an unauthorized attacker to elevate privileges over the network. Because the flaw is remotely exploitable without requiring authentication or user interaction, attackers can target vulnerable SharePoint servers directly. Microsoft has confirmed active exploitation of this vulnerability and has released security updates for affected SharePoint versions.

CVSS Score: 5.3

SEVERITY: Moderate

THREAT:
This vulnerability affects Microsoft SharePoint Server by allowing an unauthenticated attacker to perform privilege escalation over the network. The flaw stems from missing authentication for a critical function, enabling an attacker to reach functionality that should require authorization. Internet-facing SharePoint servers are particularly exposed because the attack can be performed remotely without valid credentials.

EXPLOITS:
Microsoft confirms that active exploitation has been detected. The vulnerability was not publicly disclosed before the security update. The CVSS v3.1 temporal metrics indicate Functional exploit code maturity, demonstrating that working exploit code exists. The provided information does not specifically confirm publicly available proof-of-concept code.

TECHNICAL SUMMARY:
The vulnerability is caused by missing authentication for a critical function (CWE-306) within Microsoft SharePoint Server. An attacker can send specially crafted network requests to access functionality that should require authentication, resulting in privilege escalation. The vulnerability primarily impacts system integrity by allowing unauthorized actions without requiring prior authentication or user interaction.

EXPLOITABILITY:
Affected products include Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Server 2019, and Microsoft SharePoint Server Subscription Edition. The vulnerability is remotely exploitable over the network with no privileges required and no user interaction, making internet-accessible SharePoint deployments the highest priority for remediation.

BUSINESS IMPACT:
Organizations using SharePoint for document management, collaboration, and business workflows face increased risk if vulnerable servers are exposed. Successful exploitation could allow attackers to gain elevated privileges, modify SharePoint content, compromise collaboration environments, and establish a foothold for further attacks against enterprise infrastructure. Since SharePoint often stores sensitive corporate information, compromise of these systems can have significant operational and security consequences.

WORKAROUND:
No workaround is available. Microsoft recommends installing the appropriate security updates. As an additional mitigation, organizations should enable Antimalware Scan Interface (AMSI) integration and configure Request Body Scan mode to Full to improve detection of malicious SharePoint requests until updates are fully deployed.

URGENCY:
This vulnerability should be prioritized because Microsoft has confirmed active exploitation in the wild. The combination of remote network access, no authentication requirement, no user interaction, and functional exploit code significantly lowers the barrier to successful attacks. Organizations with internet-facing SharePoint servers should deploy the security updates as soon as possible.

Key Details

Affected Product
Microsoft Sharepoint Server
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
CWE Classification
CWE-306
Patch this CVE on all your endpoints in under 5 minutes. First 200 endpoints are free forever, scale as needed.