Patch SharePoint CVE-2026-56164 Before a Low CVSS Score Hides the KEV Risk

Source image from Rapid7 July 2026 Patch Tuesday analysis.Rapid7 July 2026 Patch Tuesday analysis
Source image from Rapid7 July 2026 Patch Tuesday analysis.Rapid7 July 2026 Patch Tuesday analysis
Tools & Apps

Microsoft's July 2026 Patch Tuesday includes an actively exploited SharePoint Server privilege escalation flaw that NVD lists in CISA KEV, despite Microsoft's medium CVSS score.

Microsoft's July 2026 Patch Tuesday includes CVE-2026-56164, a SharePoint Server missing-authentication vulnerability that is being exploited in the wild. Confidence level: confirmed. The awkward part is prioritization: Microsoft's CNA score is medium, while NVD lists the same CVE as critical and shows CISA KEV context with a July 17, 2026 due date.

What changed

CVE-2026-56164 affects Microsoft SharePoint Server. NVD describes it as missing authentication for a critical function that allows an unauthorized attacker to elevate privileges over a network. NVD lists affected configurations for SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition.

Microsoft's advisory is the primary vendor source. Rapid7's July 2026 Patch Tuesday analysis adds the practical detail that Microsoft is aware of in-the-wild exploitation for CVE-2026-56164, with no existing privileges required and low attack complexity. Rapid7 also notes that the CVSS score alone can understate the operational risk.

Why this is early

The advisory landed on July 14, 2026 as part of Microsoft's July Patch Tuesday. NVD's entry was published the same day and includes CISA KEV context. That makes the useful window short: defenders should identify exposed on-premises SharePoint servers now, not wait for a weekly vulnerability cycle.

This item is separate from older 2025 SharePoint exploitation coverage and separate from SonicWall's SMA1000 KEV additions. The shared pattern is active exploitation plus a short remediation clock, not a single combined vulnerability chain.

Key takeaways

  • CVE-2026-56164 affects on-premises Microsoft SharePoint Server, not SharePoint Online.
  • NVD describes the issue as missing authentication for a critical function that enables network-based privilege escalation.
  • Rapid7 says Microsoft is aware of in-the-wild exploitation.
  • NVD lists a Microsoft CNA score of 5.3, but NVD's own CVSS 3.1 score is 9.8 critical.
  • KEV context means teams should prioritize exposure, patch status, and forensics over raw CVSS sorting.
SourceWhat it confirmsPractical useCaveat
Microsoft MSRCVendor advisory and update guidancePatch source of truthPage may require dynamic loading
NVDDescription, affected versions, KEV context, CVSS comparisonTriage and evidence recordNVD and CNA scores differ
Rapid7Patch Tuesday context and exploitation notePrioritization for security teamsThird-party analysis, not the vendor fix
HKCERTRegional security bulletin contextAdditional corroborationFollow Microsoft for final fixes

Availability and access

Administrators should use Microsoft Update, WSUS, Microsoft Update Catalog, or the MSRC advisory flow that matches their SharePoint Server version. NVD lists affected version ranges for SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition, so inventory needs to distinguish on-premises server versions rather than Microsoft 365 cloud services.

The public evidence points to active exploitation and KEV treatment, but it does not provide a safe public exploit walkthrough. That is enough for prioritization. Internet-exposed SharePoint Server farms should move first, followed by internal farms with sensitive content or weak segmentation.

Practical LinkLoot angle

The useful workflow is a patch-and-evidence loop: inventory SharePoint versions, confirm exposure, apply the Microsoft update path, then document whether logs, web shells, unusual service activity, or authentication anomalies require incident response. AI can help structure the runbook, but it should not be treated as evidence of compromise.

For repeatable triage, pair this with /guides/ai-workflow-automation: use the assistant for checklist generation, stakeholder updates, and evidence organization while keeping the authoritative facts tied to MSRC, NVD, and your logs.

What to verify before you act

  • Confirm whether you run SharePoint Enterprise Server 2016, SharePoint Server 2019, or SharePoint Server Subscription Edition on premises.
  • Check the MSRC advisory for the exact update package that applies to your build.
  • Prioritize any SharePoint Server exposed to the internet or reachable from less-trusted network zones.
  • Review NVD's KEV context and your organization's KEV remediation SLA.
  • Preserve relevant logs before cleanup if exploitation is plausible.

Source check

Confirmed by:

  • Microsoft's MSRC advisory for CVE-2026-56164, the vendor source for affected products and update guidance.
  • NVD's CVE-2026-56164 entry, which describes the vulnerability, affected SharePoint Server versions, CVSS scores, and KEV context.

Early signal / context:

  • Rapid7's Patch Tuesday analysis says Microsoft is aware of exploitation in the wild and calls out the CVSS-prioritization problem.
  • HKCERT's Microsoft monthly security update adds regional security bulletin corroboration for July 2026 Microsoft patching.
FAQ

Rapid7 says Microsoft is aware of in-the-wild exploitation, and NVD lists CISA KEV context for the vulnerability.