{"id":22112,"date":"2026-07-15T11:39:55","date_gmt":"2026-07-15T11:39:55","guid":{"rendered":"https:\/\/www.securitytoday.de\/2026\/07\/15\/sharepoint-jwt-bypass-exposes-on-premises-sites\/"},"modified":"2026-07-15T12:21:56","modified_gmt":"2026-07-15T12:21:56","slug":"sharepoint-jwt-bypass-exposes-on-premises-sites","status":"publish","type":"post","link":"https:\/\/www.securitytoday.de\/en\/2026\/07\/15\/sharepoint-jwt-bypass-exposes-on-premises-sites\/","title":{"rendered":"SharePoint JWT Bypass Exposes On-Premises Sites"},"content":{"rendered":"<p style=\"color:#69d8ed;font-weight:700;font-size:0.9em;letter-spacing:0.04em;margin:0 0 16px 0;\">7 Min. Reading time<\/p>\n<p><strong>CVE-2026-55040 allows unauthenticated attackers to masquerade as SharePoint users. Rapid7 reports CVSS 9.1. The auth bypass breaks the chain before the planned RCE component is rolled out in August.<\/strong><\/p>\n<div style=\"background:#003340;color:#fff;padding:32px 36px;margin:32px 0;border-radius:8px;\">\n<p style=\"margin:0 0 18px 0;font-size:0.95em;font-weight:800;text-transform:uppercase;letter-spacing:0.2em;color:#69d8ed;border-bottom:2px solid rgba(105,216,237,0.25);padding-bottom:12px;\">Key Takeaways<\/p>\n<ul style=\"margin:0;padding-left:22px;color:rgba(255,255,255,0.92);line-height:1.6;\">\n<li style=\"margin-bottom:12px;\"><strong style=\"color:#69d8ed;\">Patch authentication first.<\/strong> CVE-2026-55040 is the entry point. Without a valid session, the RCE chain described by Rapid7 breaks.<\/li>\n<li style=\"margin-bottom:12px;\"><strong style=\"color:#69d8ed;\">Identity suffices.<\/strong> The target user\u2019s SID or UPN suffices as a prerequisite for identity takeover.<\/li>\n<li style=\"margin-bottom:12px;\"><strong style=\"color:#69d8ed;\">Prioritize on-prem.<\/strong> Internet\u2011exposed SharePoint servers are the urgent inventory, not just the CVE list.<\/li>\n<li style=\"\"><strong style=\"color:#69d8ed;\">Second zero\u2011day under scrutiny.<\/strong> CVE-2026-56164 (SharePoint EoP) has already been exploited according to Microsoft. Check AMSI mitigations.<\/li>\n<\/ul>\n<\/div>\n<p style=\"font-size:0.88em;color:#a8a59c;margin:20px 0 32px 0;border-top:1px solid rgba(105,216,237,0.18);border-bottom:1px solid rgba(105,216,237,0.18);padding:10px 0;\"><span style=\"font-family:monospace;color:#69d8ed;font-weight:700;text-transform:uppercase;font-size:0.72em;letter-spacing:0.14em;margin-right:14px;\">Related:<\/span><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/07\/11\/weakest-supplier-opens-critical-facility\/\" style=\"color:#e6e3da;text-decoration:underline;\">The weakest supplier opens the critical facility<\/a>&nbsp;&nbsp;<span style=\"color:#555;\">\/<\/span>&nbsp;&nbsp;<a href=\"https:\/\/www.securitytoday.de\/en\/2026\/07\/11\/a-signed-driver-makes-endpoint-protection-blind\/\" style=\"color:#e6e3da;text-decoration:underline;\">A signed driver blinds endpoint protection<\/a><\/p>\n<h2 style=\"margin-top:64px;margin-bottom:20px;padding-top:16px;\">What CVE-2026-55040 Breaks<\/h2>\n<p><strong>What is the SharePoint JWT Bypass?<\/strong> CVE-2026-55040 is a vulnerability in the JWT token validation of Microsoft SharePoint. A remote, unauthenticated attacker can bypass authentication and perform actions as a site user or administrator, provided they know the target identity.<\/p>\n<p>The flaw was discovered by Stephen Fewer of Rapid7 Labs as part of a zero\u2011day research project. Coordination with Microsoft began on May 18, 2026. On July 14, 2026, public disclosure was released along with the July patch.<\/p>\n<div data-element=\"key_number\" style=\"background:#003340;border:1px solid rgba(105,216,237,0.28);border-radius:10px;padding:28px 24px;margin:32px 0;text-align:center;\">\n<div style=\"font-size:2.6em;font-weight:800;color:#69d8ed;line-height:1.05;word-break:keep-all;\">9.1<\/div>\n<p style=\"margin:10px 0 0;font-size:0.92em;color:#e6e3da;\">CVSS v3.1 for CVE-2026-55040 (Critical)<\/p>\n<p style=\"margin:6px 0 0;font-size:0.78em;color:#8fa3ab;\">Source: Rapid7 \/ FIRST Calculator<\/p>\n<\/div>\n<p>The prerequisite is precise: The attacker must know the target, such as via an Active Directory SID or UPN (typically email\u2011like). Then they can assume the identity. Rapid7 describes SID enumeration plus identity takeover up to the site administrator in the PoC representation.<\/p>\n<div data-element=\"definition_box\" style=\"background:#23261f;border:1px solid rgba(105,216,237,0.22);border-radius:10px;padding:20px 24px;margin:32px 0;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 2px 10px rgba(0,0,0,0.22);\">\n<p style=\"margin:0 0 8px;font-family:'IBM Plex Mono',ui-monospace,SFMono-Regular,monospace;font-size:0.72em;letter-spacing:0.12em;text-transform:uppercase;color:#69d8ed;\">Definition \u00b7 JSON Web Token (JWT) Authentication Bypass<\/p>\n<p style=\"margin:0;color:#e6e3da;line-height:1.6;\">An attacker bypasses token verification and acts as a known SharePoint user without knowing their password.<\/p>\n<\/div>\n<h2 style=\"margin-top:64px;margin-bottom:20px;padding-top:16px;\">Why the Auth Bypass Stops the RCE Chain<\/h2>\n<p>Rapid7 linked the bypass to an unauthenticated remote code execution (RCE) flaw, which Microsoft had scheduled for the August patch cycle. The July fix for CVE-2026-55040 already breaks this chain. Authentication bypasses are far from minor problems-they fully expose the authenticated attack surface.<\/p>\n<p>At the same time, the July patch Tuesday addresses CVE-2026-56164, a SharePoint elevation\u2011of\u2011privilege vulnerability that Microsoft reports is actively exploited (CVSS 5.3, Moderate). Affected: SharePoint Server 2016, 2019 and the Subscription Edition. Microsoft points to AMSI integration as an additional detection mechanism for malicious POST requests. This does not replace the patch but complements it.<\/p>\n<h2 style=\"margin-top:64px;margin-bottom:20px;padding-top:16px;\">Priority for DACH Admins<\/h2>\n<p>Start by inventorying: Which SharePoint servers are running on\u2011premises and reachable from the Internet? Every such instance qualifies as a hotfix. Then verify the patch level against the July updates. Record the build status. Keep a rollback plan on hand-but don\u2019t postpone the patches.<\/p>\n<p>Next, hunt for identity clues: unusual site\u2011admin activity, new web parts, suspicious file uploads, token and authentication anomalies in the logs. Those who only chase CVEs and ignore exposure are wasting time.<\/p>\n<div data-element=\"checklist\" style=\"background:#23261f;border:1px solid rgba(105,216,237,0.22);border-radius:10px;padding:22px 24px;margin:32px 0;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 2px 10px rgba(0,0,0,0.22);\">\n<p style=\"margin:0 0 12px;font-family:'IBM Plex Mono',ui-monospace,SFMono-Regular,monospace;font-size:0.72em;letter-spacing:0.12em;text-transform:uppercase;color:#69d8ed;\">ON-PREM-SHAREPOINT NOW<\/p>\n<ul style=\"margin:0;padding-left:0;list-style:none;\">\n<li style=\"margin:0 0 10px;padding-left:26px;position:relative;color:#e6e3da;line-height:1.5;\"><span style=\"position:absolute;left:0;color:#69d8ed;\">&#10003;<\/span>Apply the July 2026 updates for SharePoint Server and verify the build status<\/li>\n<li style=\"margin:0 0 10px;padding-left:26px;position:relative;color:#e6e3da;line-height:1.5;\"><span style=\"position:absolute;left:0;color:#69d8ed;\">&#10003;<\/span>Inventory internet\u2011exposed SharePoint instances and kill the exposure<\/li>\n<li style=\"margin:0 0 10px;padding-left:26px;position:relative;color:#e6e3da;line-height:1.5;\"><span style=\"position:absolute;left:0;color:#69d8ed;\">&#10003;<\/span>Check AMSI integration for SharePoint (Microsoft mitigation for related EoP paths)<\/li>\n<li style=\"margin:0 0 10px;padding-left:26px;position:relative;color:#e6e3da;line-height:1.5;\"><span style=\"position:absolute;left:0;color:#69d8ed;\">&#10003;<\/span>Audit admin and site accounts for unusual logins and token patterns<\/li>\n<li style=\"margin:0 0 10px;padding-left:26px;position:relative;color:#e6e3da;line-height:1.5;\"><span style=\"position:absolute;left:0;color:#69d8ed;\">&#10003;<\/span>Track auth\u2011bypass and RCE chains separately: schedule the August patch for the RCE component<\/li>\n<\/ul>\n<\/div>\n<h2 style=\"margin-top:64px;margin-bottom:20px;padding-top:16px;\">What the Board Set Must Include<\/h2>\n<p>On-Prem-SharePoint remains an attack surface as long as authentication paths are weak and instances are exposed. CVE-2026-55040 shows: collaboration platforms are management layers. Who patches them and removes them from the internet breaks chains. Who waits buys the August RCE share at a higher price.<\/p>\n<h2 style=\"padding-top:64px;margin-bottom:20px;\">Frequently Asked Questions<\/h2>\n<p class=\"st-faq-hint\">Every question is locked. A tap unlocks the answer.<\/p>\n<details>\n<summary><strong>Is CVE-2026-55040 remotely exploitable?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">Yes. Rapid7 describes a remote, unauthenticated attack path. Prerequisite is knowledge of the target identity (SID or UPN).<\/p>\n<\/details>\n<details>\n<summary><strong>Is the July patch sufficient against the full RCE chain?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">He breaks the chain described by Rapid7 at the Auth-Bypass. The separate RCE component is slated to follow in the August cycle. Nevertheless, patch immediately.<\/p>\n<\/details>\n<details>\n<summary><strong>Is SharePoint Online affected?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">The disclosure targets SharePoint Server and the JWT validation pipeline of the affected server products. The MSRC entry for the respective build provides the exact patch scope.<\/p>\n<\/details>\n<details>\n<summary><strong>What is the difference to CVE-2026-56164?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">56164 is an EoP with confirmed exploitation in the wild. 55040 is a JWT authentication bypass with CVSS 9.1 and chaining potential to RCE.<\/p>\n<\/details>\n<details>\n<summary><strong>Which mitigation counts in addition to the patch?<\/strong><\/summary>\n<p style=\"margin:8px 0 4px 24px;color:#555;line-height:1.6;\">Reduce internet exposure, activate AMSI for SharePoint, monitor admin accounts, and alert on unusual site operations.<\/p>\n<\/details>\n<p><!--ST-LOWER-CARDS lang=en--><\/p>\n<h3 style=\"margin:48px 0 18px;padding-left:12px;font-size:1.05em;font-weight:800;color:#e6e3da;border-left:3px solid #69d8ed;line-height:1.2;\">Editor&#8217;s Picks<\/h3>\n<p><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/07\/11\/weakest-supplier-opens-critical-facility\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/kritis-lieferkette-zulieferer-resilienz-cover-hero-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#69d8ed;margin-bottom:5px;\">Editor&#8217;s Pick<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">Weakest Supplier Opens Critical Facility<\/span><\/span><\/a><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/07\/11\/a-signed-driver-makes-endpoint-protection-blind\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/cover-hero-8-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#69d8ed;margin-bottom:5px;\">Editor&#8217;s Pick<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">A Signed Driver Makes Endpoint Protection Blind<\/span><\/span><\/a><\/p>\n<h3 style=\"margin:48px 0 18px;padding-left:12px;font-size:1.05em;font-weight:800;color:#e6e3da;border-left:3px solid #69d8ed;line-height:1.2;\">More from the MBF Media Network<\/h3>\n<p><a href=\"https:\/\/www.cloudmagazin.com\/en\/2026\/07\/15\/when-gpus-devour-the-saas-budget\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/net-wenn-gpus-den-saas-etat-auffressen-24878004.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#0bb7fd;margin-bottom:5px;\">cloudmagazin<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">When GPUs Devour the SaaS Budget<\/span><\/span><\/a><a href=\"https:\/\/mybusinessfuture.com\/en\/when-a-german-ai-model-truly-pays-off\/\" style=\"display:flex;align-items:center;gap:14px;padding:12px 14px;margin:0 0 10px;background:#23261f;border:1px solid rgba(105,216,237,0.18);border-radius:12px;box-shadow:inset 0 1px 0 rgba(230,227,218,0.06),0 6px 18px rgba(0,0,0,0.22);text-decoration:none;color:#e6e3da;box-sizing:border-box;width:100%;\"><span style=\"flex:0 0 116px;aspect-ratio:16\/9;overflow:hidden;border-radius:8px;background:#111210;border:1px solid rgba(230,227,218,0.08);display:block;\"><img decoding=\"async\" src=\"https:\/\/www.securitytoday.de\/wp-content\/uploads\/2026\/07\/net-wann-sich-deutsches-ki-modell-rechnet-45689807-250x143.jpg\" alt=\"\" loading=\"lazy\" width=\"116\" height=\"65\" style=\"width:100%;height:100%;object-fit:cover;display:block;\"><\/span><span style=\"display:block;min-width:0;\"><span style=\"display:block;font-size:0.68em;font-weight:700;letter-spacing:0.1em;text-transform:uppercase;color:#aa8ac2;margin-bottom:5px;\">MyBusinessFuture<\/span><span style=\"display:block;font-size:1.0em;font-weight:650;line-height:1.35;color:#e6e3da;overflow-wrap:anywhere;\">When a German AI Model Truly Pays Off<\/span><\/span><\/a><!--\/ST-LOWER-CARDS--><\/p>\n","protected":false},"excerpt":{"rendered":"CVE-2026-55040: Unauthenticated SharePoint JWT bypass (CVSS 9.1). Rapid7 chain, July patch, and on-prem admin checklist.","protected":false},"author":10,"featured_media":22103,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_yoast_wpseo_focuskw":"SharePoint JWT bypass CVE-2026-55040","_yoast_wpseo_title":"SharePoint JWT Bypass Exposes On-Premises Sites","_yoast_wpseo_metadesc":"CVE-2026-55040: Unauthenticated SharePoint JWT bypass (CVSS 9.1). Rapid7 exploit chain, July patch, and on-prem admin checklist.","_yoast_wpseo_meta-robots-noindex":"","_yoast_wpseo_meta-robots-nofollow":"","_yoast_wpseo_meta-robots-adv":"","_yoast_wpseo_canonical":"","_yoast_wpseo_opengraph-title":"","_yoast_wpseo_opengraph-description":"","_yoast_wpseo_opengraph-image":"","_yoast_wpseo_opengraph-image-id":0,"_yoast_wpseo_twitter-title":"","_yoast_wpseo_twitter-description":"","_yoast_wpseo_twitter-image":"","_yoast_wpseo_twitter-image-id":0,"evm_cvss":0,"evm_risk":0,"evm_casefile":"","evm_primary_cve":"","evm_external_preview_token":"","evm_external_preview_expires":"","_evm_translation_lang":"en","featured_post":0,"featured_post_sortierung":0,"_wp_old_slug":[],"footnotes":""},"categories":[255],"tags":[],"class_list":["post-22112","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-praxis-umsetzung-en"],"evm_reading_time_minutes":5,"wpml_language":"en","wpml_translation_of":22102,"_links":{"self":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/22112","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/comments?post=22112"}],"version-history":[{"count":1,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/22112\/revisions"}],"predecessor-version":[{"id":22124,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/22112\/revisions\/22124"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media\/22103"}],"wp:attachment":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media?parent=22112"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/categories?post=22112"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/tags?post=22112"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}