Microsoft SharePoint Server Spoofing Vulnerability (CVE-2026-56157) – Medium -DC-Jul2026-1020

Listen to this Post

CVE-2026-56157 is an improper access control vulnerability affecting Microsoft Office SharePoint that allows an authorized attacker to perform spoofing over a network. The flaw resides in how SharePoint validates and enforces permissions for certain network-facing functions, enabling a low‑privileged authenticated user to craft requests that impersonate other users or systems. Because the access control checks are insufficient, an attacker who already holds valid credentials can manipulate SharePoint’s trust relationships, presenting forged identities or content to other clients and servers within the same network.
The vulnerability carries a CVSS v3.1 base score of 5.4 (MEDIUM) with the vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N. This indicates that the attack is network‑accessible, requires low attack complexity, demands low‑privileged authentication, needs no user interaction, and has a limited impact on confidentiality and integrity with no availability impact. The CWE‑284 (Improper Access Control) underpins the issue.
Affected products include Microsoft SharePoint Enterprise Server 2016 (versions prior to 16.0.5561.1001), Microsoft SharePoint Server 2019 (prior to 16.0.10417.20175), and Microsoft SharePoint Server Subscription Edition (prior to 16.0.19725.20434). Microsoft released security updates as part of the July 2026 Patch Tuesday to address the flaw. While the vulnerability is not known to be exploited in the wild and is not automatable, its presence in widely deployed collaboration platforms makes patching a high priority.

DailyCVE Form:

Platform: Microsoft SharePoint Server
Version: 2016, 2019, Subscription Edition
Vulnerability: Improper Access Control (Spoofing)
Severity: Medium (CVSS 5.4)
Date: 2026‑07‑14

Prediction: Already patched (July 2026)

What Undercode Say: Analytics

Check installed SharePoint version (PowerShell)
Get-SPFarm | Select-Object BuildVersion
Compare against fixed versions:
SharePoint 2016: >= 16.0.5561.1001
SharePoint 2019: >= 16.0.10417.20175
Subscription Edition: >= 16.0.19725.20434
Query the update status via Microsoft Update API
Get-HotFix | Where-Object { $<em>.HotFixID -like "KB" } | Select-Object HotFixID, InstalledOn
Use MSRC Update Guide API to retrieve CVE details
$cve = "CVE-2026-56157"
Invoke-RestMethod -Uri "https://api.msrc.microsoft.com/update-guide/api/v1/cves/$cve" | ConvertTo-Json
Detect potentially vulnerable SharePoint servers in the network
Get-ADComputer -Filter {OperatingSystem -like "SharePoint"} | ForEach-Object {
$server = $</em>.Name
$version = Invoke-Command -ComputerName $server -ScriptBlock {
(Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Shared Tools\Web Server Extensions\16.0" -Name Version).Version
}
if ($version -lt "16.0.5561.1001") {
Write-Warning "$server is vulnerable to CVE-2026-56157"
}
}

Exploit:

An authenticated attacker with minimal privileges can exploit CVE-2026-56157 by sending specially crafted HTTP requests to SharePoint’s REST API or SOAP endpoints. Due to improper access control, the server does not adequately verify whether the requesting principal has the right to impersonate another user or to forge response data. The attacker can thus:

1. Intercept or replay valid session tokens.

  1. Manipulate the X-Forwarded-For, Referer, or custom authentication headers to impersonate a higher‑privileged user.
  2. Submit requests that bypass resource‑based permission checks, allowing the attacker to view or modify content belonging to others, or to present fake notifications and login pages (spoofing).
    Because the attack requires only network access and valid low‑privileged credentials, it can be executed from any client on the same network without user interaction. The spoofed content can then be used for further phishing or data exfiltration.

Protection:

  • Apply the official Microsoft update released on July 14, 2026, for all affected SharePoint versions. The fixed builds are:
  • SharePoint 2016: 16.0.5561.1001 or later
  • SharePoint 2019: 16.0.10417.20175 or later
  • Subscription Edition: 16.0.19725.20434 or later
  • Restrict network access to SharePoint servers using firewalls and VLANs, allowing only trusted subnets.
  • Enforce multi‑factor authentication (MFA) for all SharePoint users to reduce the risk of credential compromise.
  • Audit and review permission settings regularly; remove unnecessary privileges from low‑level accounts.
  • Enable detailed logging for authentication and authorization events, and monitor for anomalous request patterns (e.g., unexpected impersonation attempts).
  • Consider using a Web Application Firewall (WAF) to filter malformed or suspicious requests targeting SharePoint endpoints.

Impact:

Successful exploitation of CVE‑2026‑56157 allows an authorized attacker to spoof identities or content within the SharePoint environment. The limited confidentiality and integrity impact (CVSS scores of L for both) means an attacker could:
– Read sensitive documents or list items that they are not authorized to access.
– Modify or delete content belonging to other users, potentially corrupting critical business data.
– Impersonate legitimate users to send misleading notifications, harvest credentials, or pivot to other internal systems.
– Undermine trust in SharePoint as a secure collaboration platform, leading to reputational damage and regulatory compliance issues if data breaches occur.
Although the vulnerability is rated Medium, its presence in enterprise‑critical infrastructure and the low barrier to exploitation (authenticated network access) demand urgent remediation.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top