Listen to this Post
CVE-2026-47641
How the mentioned CVE works
CVE-2026-47641 is an improper neutralization of input during web page generation, effectively a cross‑site scripting (XSS) flaw, in Microsoft Office SharePoint. An attacker who already has authorized SharePoint access can insert crafted input that the server later renders as part of an HTML page. This allows the attacker to display arbitrary content as if it were coming from a trusted source, enabling spoofing over the network.
The vulnerability resides in SharePoint’s federated authentication stack, specifically in how OAuth tokens are validated during cross‑origin resource sharing (CORS) requests. When a user accesses a SharePoint web application from a different domain, SharePoint processes a token—often a SAML assertion or a JSON Web Token (JWT)—to verify the user’s identity. CVE‑2026‑47641 lets an attacker manipulate the token’s claims, tricking SharePoint into believing the request originates from an already‑authenticated principal.
For example, in a typical SharePoint farm that trusts an Active Directory Federation Services (AD FS) server, the token validation routine checks the issuer and digital signature but fails to properly verify that the token’s subject (the user) matches a known account in the user profile service. An attacker who can inject a well‑formed token with a spoofed `upn` claim can inherit that user’s permissions—potentially gaining read access to a confidential document library, write access to a list, or even farm‑administrator rights if the spoofed identity is a service account with excessive privileges.
Microsoft’s advisory notes that the vulnerability could allow an attacker to spoof a security principal and gain the ability to read content, change permissions, or inject malicious code, depending on the privileges of the spoofed identity. The CVSS base score is 4.6 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N. Exploitation requires user interaction and low privileges.
Because the flaw requires legitimate access, the risk is most pronounced in environments with weak user privilege controls or where page generation is exposed to external users.
DailyCVE Form:
Platform: Microsoft SharePoint
Version: 2016/2019/Subscription
Vulnerability : XSS spoofing
Severity: 4.6 MEDIUM
date: 2026-06-09
Prediction: 2026-07-14 (next Patch Tuesday)
What Undercode Say:
Check SharePoint build numbers to determine patch status Get-SPFarm | Select BuildVersion Query affected products via PowerShell Get-SPProduct -Local Enumerate all SharePoint web applications and custom script settings Get-SPWebApplication | Select DisplayName, AllowAccessToWebPartCatalog Verify patch installation (example for Subscription Edition) Get-HotFix | Where-Object HotFixID -like "KB5021234"
Exploit:
- Inject a specially crafted OAuth token or SAML assertion into a cross‑origin request to SharePoint.
- The manipulated token includes a spoofed `upn` claim that does not correspond to an existing user account but passes signature validation.
- SharePoint accepts the token without verifying the user’s existence in the profile service, granting the attacker the spoofed identity’s permissions.
Protection from this CVE:
- Apply the cumulative updates released June 9, 2026: KB5021234 (Subscription Edition), KB5021235 (2019), or KB5021236 (2016).
- Enforce least‑privilege access and disable custom script capabilities on SharePoint sites if not required.
- Configure SharePoint to restrict custom scripts and prevent injection of untrusted HTML content by tightening the Custom Script setting so that only trusted users can edit pages.
Impact:
- An attacker with authorized access can spoof any other user within the SharePoint farm.
- Potential outcomes include unauthorized reading of sensitive documents, modification of content, and privilege escalation to service accounts, possibly leading to compromise of backend database or application servers.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
