Patch SharePoint CVE-2026-56164 before the new CISA deadline
CISA says CVE-2026-56164 is being actively exploited against on-premises SharePoint Server. Treat the July 2026 Patch Tuesday fix as an emergency change for exposed SharePoint estates.
CISA has added a new urgency layer to Microsoft SharePoint patching: CVE-2026-56164 is under active exploitation. Confidence level: confirmed by CISA, with Microsoft Patch Tuesday coverage corroborated by independent security reporting. The practical move is simple: patch on-premises SharePoint Server, verify AMSI/request-body scanning posture, and treat exposed servers as priority assets until remediation is complete.
What changed
On July 14, 2026, CISA warned that threat actors are exploiting SharePoint vulnerabilities including CVE-2026-56164. The KEV catalog describes CVE-2026-56164 as a missing-authentication issue in SharePoint that can let an unauthenticated attacker elevate privileges over a network.
Microsoft's July 2026 Patch Tuesday cycle also drew attention because it shipped an unusually large number of fixes and included exploited zero-days. Security reporting from BleepingComputer and Tenable identifies CVE-2026-56164 as an actively exploited SharePoint Server elevation-of-privilege flaw affecting on-premises SharePoint deployments.
| Item | Best fit | Access/status | Caveat |
|---|---|---|---|
| CVE-2026-56164 | On-prem SharePoint patch priority | Listed by CISA as exploited | CVSS alone understates operational urgency |
| AMSI full request-body scanning | Temporary hardening check | Recommended in security reporting based on Microsoft guidance | Mitigation is not a replacement for patching |
| SharePoint Online | Scope check | Not the same exposure class as on-prem SharePoint Server | Confirm tenant-specific Microsoft advisories separately |
Key takeaways
- Patch SharePoint Server systems affected by CVE-2026-56164 before lower-risk July updates.
- Check whether exposed SharePoint servers have already shown suspicious access patterns.
- Enable or verify AMSI integration and full request-body scanning where applicable.
- Do not rank this only by its moderate CVSS score; CISA's KEV listing means exploitation is already observed.
- Keep CVE-2026-32201 and CVE-2026-45659 in the same SharePoint review queue because CISA grouped the new warning with prior exploitation.
Availability and access
Administrators should use Microsoft's July 2026 security update path for supported SharePoint Server versions and confirm the exact affected products in the Microsoft Security Update Guide before deployment. CISA's KEV catalog sets the emergency posture: exploited vulnerabilities need a remediation plan with a hard deadline, not a normal monthly patch queue.
If a SharePoint instance is internet-facing, prioritize it first. If it cannot be patched immediately, reduce exposure, review authentication boundaries, enable the relevant scanning controls, and start log review before assuming the system is clean.
Practical LinkLoot angle
This is the kind of security item that belongs in an operations checklist, not a news bookmark. SharePoint often sits behind business-critical workflows, so the risky failure mode is waiting for a convenient maintenance window while attackers already have a working path.
For teams running mixed Microsoft estates, pair this with a broader automation checklist from the LinkLoot guide to AI workflow automation: inventory exposed services, assign patch owners, capture evidence, and create a follow-up task for post-patch hunting.
What to verify before you act
- Confirm the exact SharePoint Server versions and cumulative updates required in Microsoft's Security Update Guide.
- Check CISA's KEV entry for the due date and any updated remediation notes.
- Review whether the server is internet-facing or reachable from less-trusted network zones.
- Verify AMSI integration and Request Body Scan mode where Microsoft guidance applies.
- Search logs for suspicious SharePoint access before and after patching.
Source check
Confirmed by:
- CISA's July 14 alert says it is aware of active exploitation involving CVE-2026-56164 and other SharePoint vulnerabilities.
- CISA's KEV catalog lists CVE-2026-56164 as an exploited SharePoint vulnerability.
Independent context:
- BleepingComputer reports that Microsoft's July 2026 Patch Tuesday fixes an actively exploited SharePoint flaw and notes Microsoft's mitigation guidance around AMSI and full request-body scanning.
- Tenable's Patch Tuesday analysis identifies CVE-2026-56164 as a SharePoint Server elevation-of-privilege vulnerability that Microsoft says was exploited in the wild.
Yes. CISA lists it in the Known Exploited Vulnerabilities catalog and issued a July 14, 2026 alert covering new SharePoint exploitation.
