Skip to content
feed: live
>_ 0dayNews
CVE Record
[ CRITICAL ] CVE-2026-55040

SharePoint Server JWT token authentication bypass

Critical authentication bypass in Microsoft SharePoint Server's JWT validation pipeline. Half of a pre-auth RCE chain disclosed by Rapid7; patched in the July 2026 cumulative update.

cat cve-2026-55040.json
Vendor
Microsoft
Product
Microsoft SharePoint Server (on-prem; see MSRC advisory for affected builds)
CVSS
9.1
EPSS (exploit probability)
N/A
Status
patched
Published

CVE-2026-55040 is a critical (CVSS 9.1) authentication bypass in Microsoft SharePoint Server, caused by validation failures in the JWT token pipeline that let an unauthenticated attacker assume a user identity over the network. Discovered by Rapid7 Labs and disclosed to Microsoft ahead of coordinated release.

Microsoft shipped the fix in the July 2026 Patch Tuesday release on 2026-07-14. Rapid7 is holding full technical detail under a roughly 30-day embargo, expiring in mid-August.

Half of a chain. Rapid7’s research chained CVE-2026-55040 with a separate SharePoint RCE vulnerability to reach unauthenticated remote code execution end-to-end. The RCE half has been disclosed to Microsoft but is not yet patched — expected in the August 2026 update cycle.

Exploitation status. No public PoC. No confirmed in-the-wild exploitation of CVE-2026-55040 at time of publication. Separately, CVE-2026-56164 — a different SharePoint bug in the same patch cycle — is actively exploited and was added to CISA KEV on 2026-07-14; both should be patched together.

See the write-up: SharePoint JWT bypass fixed; RCE half of chain still open.