Researchers at Rapid7 Labs have disclosed a flaw in Microsoft SharePoint that lets a remote attacker slip past authentication and act as any user on a vulnerable server, including a site administrator, without ever logging in. Tracked as CVE-2026-55040, the bug was found during an original zero-day research project and fixed by Microsoft in this week's update.
SharePoint is one of the most widely deployed collaboration platforms in the enterprise, sitting at the center of corporate intranets, internal file sharing, and Microsoft 365 workflows. That reach is exactly what makes an authentication bypass here dangerous: the platform brokers access between employees, Active Directory, and cloud infrastructure, and it stores vast amounts of sensitive business data.
How the attack works
The vulnerability lives in the way SharePoint validates JWTs, the signed JSON Web Tokens the server uses to confirm who a request belongs to. Rapid7 researcher Stephen Fewer found several weaknesses in that validation pipeline that, taken together, let an attacker forge their way into a chosen user's identity. The one catch is that the attacker must already know which user they want to impersonate, but that is a low bar: Rapid7's proof-of-concept script enumerates valid accounts through their Active Directory Security IDs (SIDs) or User Principal Names (the email-style logon name), then uses the bypass to assume the site administrator account.
Microsoft rated CVE-2026-55040 only 5.3 (medium) on the CVSS scale, because on its own an authentication bypass does not run code. The real risk is what it unlocks. Rapid7 built the bug as one half of an exploit chain for the Pwn2Own Berlin contest, pairing it with a separate remote code execution (RCE) flaw to achieve fully unauthenticated RCE on a SharePoint server. Microsoft is expected to patch that second RCE component in its August 2026 update cycle.
Why a medium severity bug matters
The chain is a reminder that severity scores judge vulnerabilities in isolation, not in combination. As the researchers note, patching the medium-severity authentication bypass breaks the whole chain and blocks the high-impact RCE outcome. It echoes the sustained interest attackers have shown in Microsoft identity plumbing, from forged AD FS logins to recently patched Defender zero-days.
The team also disclosed that much of the exploit chain was built with heavy use of an AI coding agent: across 24 active days they ran 96 sessions and roughly 80,000 agentic tool calls, and noted a marked jump in the models' usefulness between January and March 2026.
What you should do
Apply Microsoft's SharePoint update for CVE-2026-55040 without waiting for the August RCE patch, since fixing the bypass alone is enough to break the published chain. Administrators should also watch for unusual SID or UPN enumeration and unexpected administrative actions on on-premises SharePoint sites.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.