Published Tuesday, July 14, 2026 at 07:41 AM PT

BLUF: Rapid7 Labs and Microsoft jointly disclosed CVE-2026-55040, an unauthenticated authentication bypass in Microsoft SharePoint. This vulnerability is the first component of a chained exploit that achieves remote code execution when combined with a second, yet-to-be-patched vulnerability. Organizations running vulnerable SharePoint instances should prioritize immediate assessment and prepare for patching upon Microsoft’s release.
DETAILS:
- Rapid7 Labs conducted zero-day research resulting in discovery of two chained vulnerabilities affecting Microsoft SharePoint
- CVE-2026-55040 (authentication bypass) is disclosed today; the RCE component remains under embargo pending Microsoft patch release
- The exploit chain achieves unauthenticated remote code execution against vulnerable SharePoint servers
- UNCERTAIN: Specific patch timeline from Microsoft not provided in available disclosure materials
- UNCERTAIN: Affected SharePoint versions and configurations not yet detailed in public advisory
IMPACT:
- Scope: Organizations operating Microsoft SharePoint infrastructure
- Risk Level: CRITICAL — unauthenticated RCE capability represents maximum severity
- Affected Systems: SharePoint deployments matching vulnerability criteria (version/configuration details pending full advisory)
- Exposure: Internet-facing or network-accessible SharePoint instances are immediately at risk once exploit details circulate
RECOMMENDED ACTIONS:
- IMMEDIATE: Identify and inventory all SharePoint deployments in your environment
- IMMEDIATE: Restrict network access to SharePoint servers where operationally feasible pending patch availability
- URGENT: Monitor Microsoft Security Response Center (MSRC) for CVE-2026-55040 advisory with affected versions and patch timeline
- URGENT: Prepare change management and testing procedures for emergency patching
- ONGOING: Monitor for any public exploit code or active exploitation attempts
SOURCES:
- Rapid7 Labs disclosure (joint with Microsoft)
- Microsoft security advisory (pending full MSRC publication)
