Skip to content
Auto-CTI
Back to all deep dives
RAPID7 CYBERSECURITY BLOG

CVE-2026-55040: Microsoft SharePoint JWT Token Authentication Bypass (FIXED)

HIGH SharePoint authentication-bypass RCE JWT
CVE-2026-55040: Microsoft SharePoint JWT Token Authentication Bypass (FIXED)

Strategic summary

Rapid7 Labs discovered a vulnerability in Microsoft SharePoint that allows bypassing JWT token authentication (CVE-2026-55040). An unauthenticated attacker can assume the identity of any SharePoint user, provided they know the user's username or SID. This vulnerability was chained with an RCE flaw to achieve unauthenticated remote code execution; the RCE component is expected to be patched in August 2026. The authentication bypass itself has already been fixed.

Key findings

  • CVE-2026-55040 enables bypass of JWT token-based authentication in Microsoft SharePoint.
  • An attacker only needs knowledge of a valid username (e.g., UPN) or Active Directory SID of the target user.
  • By assuming the user's identity, the attacker can perform operations in the user's context, including administrative actions.
  • Rapid7 Labs chained this vulnerability with an RCE flaw to demonstrate full unauthenticated code execution.
  • The authentication bypass has been fixed by Microsoft; the RCE component is slated for patching in August 2026.

Relevance for you

An authentication bypass (CVE-2026-55040) was chained by Rapid7 Labs with a separate RCE vulnerability to achieve unauthenticated remote code execution; patching the bypass breaks the exploit chain.

Mentioned CVEs

Risk score

20
cvss base
0.00
kev bonus
0.00
epss bonus
0.00
poc bonus
15.00
raw before weight
15.00
industry weight
1.21
freshness factor
1.00
exploitability factor
1.00
days old
0.00
vendor mismatch penalty
0.00

Path: operational

MITRE ATT&CK mapping

5 TTPs
Recon
Resource Dev
Execution
Persistence
Priv. Escal.
Cred. Access
Collection
C2
Exfiltration
Impact
Conf.: high medium low

Procedure details

Technique Tactic Procedure Conf. Source
T1550.001
Use Alternate Authentication Material: Application Access Token
Defense Evasion CVE-2026-55040 exploits flaws in the JWT token validation pipeline of Microsoft SharePoint, allowing an attacker to forge or manipulate JWT tokens to bypass authentication and impersonate SharePoint users or administrators. high llm
T1078
Valid Accounts
Defense Evasion After bypassing JWT authentication, the attacker assumes the identity of legitimate SharePoint users, including site administrator accounts, performing operations as those authenticated users. high llm
T1087.002
Account Discovery: Domain Account
Discovery The proof-of-concept script enumerates potential SharePoint users via SID enumeration prior to leveraging the authentication bypass to identify and target the SharePoint site administrator account. high llm
T1190
Exploit Public-Facing Application
Initial Access CVE-2026-55040 is exploited remotely by an unauthenticated attacker against a public-facing Microsoft SharePoint server to bypass authentication without any credentials. high llm
T1210
Exploitation of Remote Services
Lateral Movement CVE-2026-55040 is chained with a separate RCE vulnerability to achieve unauthenticated remote code execution against the SharePoint server, demonstrating exploitation of remote services for code execution. medium llm
ESC