SharePoint JWT bypass fixed; RCE half of chain still open
Rapid7 disclosed CVE-2026-55040 today — a SharePoint JWT auth bypass patched in July Patch Tuesday. Second half of a pre-auth RCE chain lands next month. Patch now.
Rapid7 disclosed CVE-2026-55040 today, a critical (CVSS 9.1) authentication bypass in Microsoft SharePoint Server’s JWT token validation pipeline. Microsoft shipped the fix in today’s Patch Tuesday; Rapid7 is holding full technical detail under a coordinated embargo for roughly 30 days. Patch it. Now.
Two things to be clear about upfront.
One: this is only half the chain. Rapid7’s SharePoint zero-day research chained CVE-2026-55040 with a separate SharePoint RCE bug to get unauthenticated code execution end-to-end. The second half is disclosed to Microsoft but not yet fixed — expected in the August cumulative update. Today’s patch closes the auth-bypass leg, not the full chain. Don’t tell yourself SharePoint is “done” this month because you took the July KBs.
Two: no evidence of in-the-wild exploitation for CVE-2026-55040 yet, and no public PoC. That’s what the embargo buys you — a window before technical detail lands publicly. Use it.
The other SharePoint issue this week. CVE-2026-56164 landed in the same patch cycle, is exploited in the wild, and CISA added it to KEV today. Different bug, same product, same maintenance window. Don’t run two SharePoint outages this week — do both in the same touch.
Priority order for on-prem SharePoint Server:
- Apply the July 2026 cumulative update. It closes CVE-2026-55040 (this one) and CVE-2026-56164 (the KEV entry, actively exploited).
- If you can’t patch on the standard window, isolate on-prem SharePoint from untrusted networks until you can — CVE-2026-56164 is being used against unpatched servers, per CISA.
- Don’t wait for August to think about the RCE half. Assume the second Rapid7 CVE lands next Patch Tuesday and plan the August maintenance window now, not on the 12th when everyone else is scrambling.
- Review SharePoint authentication logs for the last two weeks for anomalous JWT-based access. No in-the-wild indicator for 55040 yet, but the embargo is 30 days and the technical detail will be public before the next Patch Tuesday.
On SharePoint Online (Microsoft 365). Rapid7’s disclosure is scoped to SharePoint Server; Microsoft handles Online patching in the tenant. Nothing for you to install there.
Sourcing: Rapid7 disclosure, MSRC advisory, NVD entry, and the Patch Tuesday roundup covering the full 570-CVE cycle.
Found this useful? Share it.


