RAPID7 CYBERSECURITY BLOG
CVE-2026-55040: Microsoft SharePoint JWT Token Authentication Bypass (FIXED)
HIGH SharePoint authentication-bypass RCE JWT
Strategic summary
Rapid7 Labs discovered a vulnerability in Microsoft SharePoint that allows bypassing JWT token authentication (CVE-2026-55040). An unauthenticated attacker can assume the identity of any SharePoint user, provided they know the user's username or SID. This vulnerability was chained with an RCE flaw to achieve unauthenticated remote code execution; the RCE component is expected to be patched in August 2026. The authentication bypass itself has already been fixed.
Key findings
- CVE-2026-55040 enables bypass of JWT token-based authentication in Microsoft SharePoint.
- An attacker only needs knowledge of a valid username (e.g., UPN) or Active Directory SID of the target user.
- By assuming the user's identity, the attacker can perform operations in the user's context, including administrative actions.
- Rapid7 Labs chained this vulnerability with an RCE flaw to demonstrate full unauthenticated code execution.
- The authentication bypass has been fixed by Microsoft; the RCE component is slated for patching in August 2026.
Relevance for you
An authentication bypass (CVE-2026-55040) was chained by Rapid7 Labs with a separate RCE vulnerability to achieve unauthenticated remote code execution; patching the bypass breaks the exploit chain.
Mentioned CVEs
Risk score
20
- cvss base
- 0.00
- kev bonus
- 0.00
- epss bonus
- 0.00
- poc bonus
- 15.00
- raw before weight
- 15.00
- industry weight
- 1.21
- freshness factor
- 1.00
- exploitability factor
- 1.00
- days old
- 0.00
- vendor mismatch penalty
- 0.00
Path: operational
MITRE ATT&CK mapping
5 TTPs Recon
Resource Dev
Initial Access
T1190 Exploit Public-Facing Application Execution
Persistence
Priv. Escal.
Def. Evasion
T1550.001 Use Alternate Authentication Material: Application Access Token T1078 Valid Accounts Cred. Access
Lateral Mov.
T1210 Exploitation of Remote Services Collection
C2
Exfiltration
Impact
Procedure details
| Technique | Tactic | Procedure | Conf. | Source |
|---|---|---|---|---|
| T1550.001 Use Alternate Authentication Material: Application Access Token | Defense Evasion | CVE-2026-55040 exploits flaws in the JWT token validation pipeline of Microsoft SharePoint, allowing an attacker to forge or manipulate JWT tokens to bypass authentication and impersonate SharePoint users or administrators. | high | llm |
| T1078 Valid Accounts | Defense Evasion | After bypassing JWT authentication, the attacker assumes the identity of legitimate SharePoint users, including site administrator accounts, performing operations as those authenticated users. | high | llm |
| T1087.002 Account Discovery: Domain Account | Discovery | The proof-of-concept script enumerates potential SharePoint users via SID enumeration prior to leveraging the authentication bypass to identify and target the SharePoint site administrator account. | high | llm |
| T1190 Exploit Public-Facing Application | Initial Access | CVE-2026-55040 is exploited remotely by an unauthenticated attacker against a public-facing Microsoft SharePoint server to bypass authentication without any credentials. | high | llm |
| T1210 Exploitation of Remote Services | Lateral Movement | CVE-2026-55040 is chained with a separate RCE vulnerability to achieve unauthenticated remote code execution against the SharePoint server, demonstrating exploitation of remote services for code execution. | medium | llm |