SharePoint JWT Bypass Exposes On-Premises Sites
CVE-2026-55040 allows unauthenticated attackers to masquerade as SharePoint users. Rapid7 reports CVSS 9.1. The auth bypass breaks the chain before the planned RCE component is rolled out in August.
Key Takeaways
- Patch authentication first. CVE-2026-55040 is the entry point. Without a valid session, the RCE chain described by Rapid7 breaks.
- Identity suffices. The target user’s SID or UPN suffices as a prerequisite for identity takeover.
- Prioritize on-prem. Internet‑exposed SharePoint servers are the urgent inventory, not just the CVE list.
- Second zero‑day under scrutiny. CVE-2026-56164 (SharePoint EoP) has already been exploited according to Microsoft. Check AMSI mitigations.
Related:The weakest supplier opens the critical facility / A signed driver blinds endpoint protection
What CVE-2026-55040 Breaks
What is the SharePoint JWT Bypass? CVE-2026-55040 is a vulnerability in the JWT token validation of Microsoft SharePoint. A remote, unauthenticated attacker can bypass authentication and perform actions as a site user or administrator, provided they know the target identity.
The flaw was discovered by Stephen Fewer of Rapid7 Labs as part of a zero‑day research project. Coordination with Microsoft began on May 18, 2026. On July 14, 2026, public disclosure was released along with the July patch.
CVSS v3.1 for CVE-2026-55040 (Critical)
Source: Rapid7 / FIRST Calculator
The prerequisite is precise: The attacker must know the target, such as via an Active Directory SID or UPN (typically email‑like). Then they can assume the identity. Rapid7 describes SID enumeration plus identity takeover up to the site administrator in the PoC representation.
Definition · JSON Web Token (JWT) Authentication Bypass
An attacker bypasses token verification and acts as a known SharePoint user without knowing their password.
Why the Auth Bypass Stops the RCE Chain
Rapid7 linked the bypass to an unauthenticated remote code execution (RCE) flaw, which Microsoft had scheduled for the August patch cycle. The July fix for CVE-2026-55040 already breaks this chain. Authentication bypasses are far from minor problems-they fully expose the authenticated attack surface.
At the same time, the July patch Tuesday addresses CVE-2026-56164, a SharePoint elevation‑of‑privilege vulnerability that Microsoft reports is actively exploited (CVSS 5.3, Moderate). Affected: SharePoint Server 2016, 2019 and the Subscription Edition. Microsoft points to AMSI integration as an additional detection mechanism for malicious POST requests. This does not replace the patch but complements it.
Priority for DACH Admins
Start by inventorying: Which SharePoint servers are running on‑premises and reachable from the Internet? Every such instance qualifies as a hotfix. Then verify the patch level against the July updates. Record the build status. Keep a rollback plan on hand-but don’t postpone the patches.
Next, hunt for identity clues: unusual site‑admin activity, new web parts, suspicious file uploads, token and authentication anomalies in the logs. Those who only chase CVEs and ignore exposure are wasting time.
ON-PREM-SHAREPOINT NOW
- ✓Apply the July 2026 updates for SharePoint Server and verify the build status
- ✓Inventory internet‑exposed SharePoint instances and kill the exposure
- ✓Check AMSI integration for SharePoint (Microsoft mitigation for related EoP paths)
- ✓Audit admin and site accounts for unusual logins and token patterns
- ✓Track auth‑bypass and RCE chains separately: schedule the August patch for the RCE component
What the Board Set Must Include
On-Prem-SharePoint remains an attack surface as long as authentication paths are weak and instances are exposed. CVE-2026-55040 shows: collaboration platforms are management layers. Who patches them and removes them from the internet breaks chains. Who waits buys the August RCE share at a higher price.
Frequently Asked Questions
Every question is locked. A tap unlocks the answer.
Is CVE-2026-55040 remotely exploitable?
Yes. Rapid7 describes a remote, unauthenticated attack path. Prerequisite is knowledge of the target identity (SID or UPN).
Is the July patch sufficient against the full RCE chain?
He breaks the chain described by Rapid7 at the Auth-Bypass. The separate RCE component is slated to follow in the August cycle. Nevertheless, patch immediately.
Is SharePoint Online affected?
The disclosure targets SharePoint Server and the JWT validation pipeline of the affected server products. The MSRC entry for the respective build provides the exact patch scope.
What is the difference to CVE-2026-56164?
56164 is an EoP with confirmed exploitation in the wild. 55040 is a JWT authentication bypass with CVSS 9.1 and chaining potential to RCE.
Which mitigation counts in addition to the patch?
Reduce internet exposure, activate AMSI for SharePoint, monitor admin accounts, and alert on unusual site operations.
Editor’s Picks
Editor’s PickWeakest Supplier Opens Critical FacilityEditor’s PickA Signed Driver Makes Endpoint Protection Blind
More from the MBF Media Network
cloudmagazinWhen GPUs Devour the SaaS BudgetMyBusinessFutureWhen a German AI Model Truly Pays Off



