Listen to this Post
How CVE-2026-54108 Works
CVE-2026-54108 is a spoofing vulnerability affecting Microsoft Office SharePoint Server, rooted in the improper handling of file names and paths (CWE-73). The flaw allows an authenticated attacker—who already possesses valid network credentials—to manipulate how SharePoint resolves and displays file references. By externally controlling the file name or path parameter in specific SharePoint requests, the attacker can cause the server to return content that appears to originate from a trusted source, while actually serving attacker-controlled or misleading data.
The vulnerability exists because SharePoint does not sufficiently validate or sanitize user-supplied input that influences file path resolution. When a privileged user (or any authenticated user with sufficient permissions) submits a crafted request containing a malicious file name or path, SharePoint processes this input without proper boundary checks. This enables the attacker to point the application to a different resource than intended—either on the local file system or across network shares—thereby spoofing the origin of the content.
Because the attack requires only low-privilege authentication (PR:L) and no user interaction (UI:N), it can be executed remotely over the network (AV:N) with low complexity (AC:L). The primary impact is on confidentiality (C:H), as the attacker can read sensitive files or directories that should be inaccessible, but integrity and availability remain unaffected. Microsoft has assigned a CVSS v3.1 base score of 6.5 (MEDIUM) to this issue.
The affected products include Microsoft SharePoint Enterprise Server 2016 (versions below 16.0.5561.1001), Microsoft SharePoint Server 2019 (versions below 16.0.10417.20175), and Microsoft SharePoint Server Subscription Edition (versions below 16.0.19725.20434). According to the CISA ADP analysis, the vulnerability is not known to be exploited in the wild (Exploitation: none), is not automatable, and has a partial technical impact. Microsoft released a security update on July 14, 2026, addressing the flaw by correcting how SharePoint validates and sanitizes file name and path inputs.
DailyCVE Form
Platform: Microsoft SharePoint
Version: 2016/2019/Subscription
Vulnerability: External File Control
Severity: MEDIUM (6.5)
date: 2026-07-14
Prediction: Patch available now
What Undercode Say
Analytics & Detection Commands
Check SharePoint Server version via PowerShell
(Get-SPFarm).BuildVersion.ToString()
Query installed SharePoint patches (search for specific KB)
Get-HotFix | Where-Object { $_.HotFixID -like "KB500" }
Search for vulnerable file path patterns in IIS logs
Select-String -Path "C:\inetpub\logs\LogFiles\W3SVC.log" -Pattern "..\/|..\"
Test for path traversal (authenticated request example)
curl -X GET "https://sharepoint.example.com/_layouts/15/file.aspx?path=../../../../windows/win.ini" -H "Authorization: Bearer <token>"
Enumerate accessible directories using SharePoint REST API
curl -X GET "https://sharepoint.example.com/_api/web/GetFolderByServerRelativeUrl('/sites/site/../../')" -H "Accept: application/json;odata=verbose"
Exploit
An authenticated attacker can craft a HTTP request to a SharePoint endpoint that accepts a file name or path parameter, such as /_layouts/15/download.aspx?file=. By injecting directory traversal sequences (../) or absolute path references, the attacker forces the server to resolve and return files outside the intended web root. For example, a request like `/_layouts/15/download.aspx?file=../../../../windows/system32/drivers/etc/hosts` could disclose the server’s hosts file. Because the server does not validate the resolved physical path against a whitelist of allowed directories, the attacker can read arbitrary files with the permissions of the SharePoint application pool account. This spoofing attack effectively makes the server serve content from an unexpected location, tricking users and downstream systems into trusting data that originates from a non‑authorized source.
Protection
- Apply the official Microsoft update released on July 14, 2026, for your specific SharePoint version:
- SharePoint Enterprise Server 2016: update to 16.0.5561.1001 or later.
- SharePoint Server 2019: update to 16.0.10417.20175 or later.
- SharePoint Server Subscription Edition: update to 16.0.19725.20434 or later.
- Restrict authenticated user permissions to the minimum necessary; the attack requires only low‑privilege access, so limiting who can upload or reference files reduces exposure.
- Implement a Web Application Firewall (WAF) rule to block requests containing
../,..\, or absolute path patterns (e.g.,C:\,/etc/) in file‑related parameters. - Enable detailed file access auditing and monitor logs for anomalous path traversal attempts.
- Harden the SharePoint application pool identity to run with the least privileges, limiting the potential damage if traversal succeeds.
Impact
Successful exploitation allows an authorized attacker to read any file accessible to the SharePoint application pool account, potentially including configuration files, source code, database connection strings, and sensitive user documents. This confidentiality breach can lead to credential theft, intellectual property exposure, and further lateral movement within the network. Although integrity and availability are not directly compromised, the spoofed content can be used in social engineering attacks to distribute malicious files or mislead users. Given that the vulnerability is not automatable and currently has no known active exploitation, the immediate risk is moderate, but organizations should prioritize patching to prevent future misuse.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

