AD FS elevation of privilege — insufficient access-control granularity
Active Directory Federation Services access-control granularity flaw lets an authorized attacker escalate privileges locally. Exploited in the wild; added to CISA KEV 2026-07-14.
- Vendor
- Microsoft
- Product
- Active Directory Federation Services (AD FS) — see MSRC advisory for affected builds
- CVSS
- 7.8
- EPSS (exploit probability)
- N/A
- Status
- kev
- Published
CVE-2026-56155 is an elevation-of-privilege vulnerability in Microsoft Active Directory Federation Services caused by insufficient granularity of access control. Per Microsoft’s advisory, an authorized attacker can use it to elevate privileges locally on the AD FS host. NVD scores it 7.8 (high). Microsoft rates it Important. Credited to Microsoft’s DART team.
Microsoft shipped the fix in the July 2026 Patch Tuesday release on 2026-07-14 and confirmed active exploitation. CISA added the CVE to the Known Exploited Vulnerabilities catalog the same day, bringing it under BOD 26-04 remediation timelines for federal civilian agencies.
Because AD FS typically fronts downstream authentication for Microsoft 365 and on-prem federated apps, a compromise here is a credentialed identity-plane compromise. Patch first; treat any pre-patch anomaly in AD FS logs as a lead worth chasing.
See the write-up: Microsoft July Patch Tuesday: 570 CVEs, 3 zero-days out.
