SharePoint Server elevation of privilege — missing authentication for critical function
SharePoint Server ships a critical function that's reachable without authentication, letting an unauthenticated attacker escalate over a network. Exploited in the wild; added to CISA KEV 2026-07-14.
- Vendor
- Microsoft
- Product
- Microsoft SharePoint Server (see MSRC advisory for affected builds)
- CVSS
- 5.3
- EPSS (exploit probability)
- N/A
- Status
- kev
- Published
CVE-2026-56164 is a missing-authentication-for-critical-function vulnerability in Microsoft SharePoint Server. Per Microsoft’s advisory, an unauthorized attacker can use it to elevate privileges over a network. NVD scores it 5.3 (medium); Microsoft rates it Moderate. Microsoft notes that enabling AMSI plus Request Body Scan mitigates it — the patch is what actually closes it.
Microsoft shipped the fix in the July 2026 Patch Tuesday release on 2026-07-14 and confirmed active exploitation. CISA added the CVE to the Known Exploited Vulnerabilities catalog the same day, bringing it under BOD 26-04 remediation timelines.
Note: SharePoint received a second, separately disclosed vulnerability in the same 24-hour window — Rapid7’s CVE-2026-55040, a JWT authentication bypass that forms the first half of a pre-auth RCE chain. Both should be applied together.
See the write-up: Microsoft July Patch Tuesday: 570 CVEs, 3 zero-days out.
